Elliptic curve cryptosystem apparatus, storage medium storing elliptic curve cryptosystem program, and elliptic curve cryptosystem arithmetic method

ABSTRACT

A scalar multiplication can be performed on an elliptic curve cryptosystem at a high speed. P is set as an initial value of Q[0], and 2×P is set as an initial value of Q[1]. An elliptic curve doubling ECDBL of Q[d[i]] is performed, and an arithmetic result is stored in Q[2]. An elliptic curve addition ECADD of Q[0] and Q[1] is performed, and an arithmetic result is stored in Q[1]. Q[2−d[i]] is stored in Q[0]. Q[1+d[i]] is stored in Q[1]. The elliptic curve addition ECADD and the elliptic curve doubling ECDBL are concurrently performed in the respective processors.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates to an elliptic curve cryptosystemapparatus, a storage medium storing an elliptic curve cryptosystemprogram, and an elliptic curve cryptosystem arithmetic method.

[0003] 2. Description of the Related Art

[0004] An elliptic curve cryptosystem is one of the public keycryptosystem, and is used in the processes of encryption, decryption,signature generation, authentication, etc.

[0005] Assuming that p indicates a prime number equal to or larger than2, and m indicates a natural number equal to or larger than 1, theWeierstrass form elliptic curve over the finite field GF(q) with q=p^ melements is a group obtained by adding the point ∞ referred to as apoint at infinity to the group of points (x, y) satisfying the equation

E:y^ 2+a1×x×y+a3×y=x^ 3+a2×x^ 2+a4×x+a6 (^ indicates a power)

[0006] The point at infinity ∞ can also be represented by 0.

[0007] In the equation, a1, a2, a3, a4, a6, x, and y are elements of theGF(q). Especially, when p is a prime number equal to or larger than 5,the Weierstrass form elliptic curve in the GF(p^ m) is a group obtainedby adding the point ∞ referred to as a point at infinity to the group ofpoints (x, y) satisfying the equation

E:y^ 2=x^ 3+a×x+b

[0008] The point at infinity ∞ can also be represented by 0.

[0009] In the equation, a, b, x, and y are elements of the GF(p^ m), andsatisfy 4×a^ 3+27×b^ 2≠0. The point at infinity ∞ is a point whichcannot be represented in the (x, y) coordinate system.

[0010] Assume that P indicates a point on the Weierstrass form ellipticcurve E in the GF(p^ m). The inverse—P is defined as follows.

[0011] (1) if P=∞ then −P=∞

[0012] (2) if P≠∞ then the following equation holds for P=(x, y)

−P=(x, −y)

[0013] P1 and P2 are assumed to be two points on the Weierstrass formelliptic curve E. Then, the sum of P1 and P2 is defined as P3=P1+P2 asfollows.

[0014] (1) if P1=∞ then P3=P2

[0015] (2) if P2=∞ then P3=P1

[0016] (3) if P1=−P2 then P3=∞

[0017] (4) if P1≠−P2, then the following equation holds for P1=(x1, y1),P2=(x2, y2), P3=(x3, y3),

x3=λ^ 2−x1−x2, y3=λ×(x1−x3)−y1,

[0018]  where

[0019] λ=(y2−y1)/(x2−x1) when P1≠P2, and

[0020] λ=(3×x1^ 2+a)/(2×y1) when P1=P2

[0021] Computing P1+P2 when P1≠P2 is referred to as elliptic curveaddition ECADD, and computing P1+P2=2×P1 when P1=P2 is referred to aselliptic curve doubling ECDBL.

[0022]FIGS. 1 and 2 are explanatory views of the elliptic curve additionand the elliptic curve doubling. The elliptic curve addition isperformed to obtain the point P3=P1+P2=(x3, y3) by turning theintersection point of the straight line connecting the point P1=(x1, y1)on the elliptic curve to the point P2=(x2, y2) on the elliptic curveover the x axis as shown in FIG. 1. The values of x3 and y3 can berepresented by the following equations.

x3={(y1−y2)/(x1−x2)}^ 2−x1−x2(^ indicates a power)

y3={(y1−y2)/(x1−x2)}(x1−x3)−y1

[0023] The elliptic curve doubling is performed to obtain the pointP4=2×P1=(x4, y4) by turning the intersection point of the tangent at thepoint P1=(x1, y1) on the elliptic curve over the x axis as shown in FIG.2. The values of x4 and y4 can be represented by the followingequations.

x4={(3×x1^ 2+a)/(2×y1)}^ 2−2×x1

y4={(3×x1^ 2+a)/(2×y1)}(x1−x4)−y1

[0024] Scalar multiplication refers to computing the point d×P=P+P+ . .. +P (sum taken d times) for the elliptic curve over the finite field,for the point P on the curve, and for the integer (also referred to as ascalar) d. The scalar multiplication is represented by a combination ofthe elliptic curve addition and the elliptic curve doubling.

[0025] The computation time of the elliptic curve addition, the ellipticcurve doubling, and the scalar multiplication can be frequentlyestimated by a sum of the computation times of multiplication, squaring,and inversion in the GF(q). This is because the practical computationsof elliptic curve addition, elliptic curve doubling, and scalarmultiplication are a combination of addition, subtraction,multiplication, squaring, and inversion in the GF(q), and in many cases,the computation time of multiplication by addition, subtraction, andconstant is comparatively shorter than the computation time of otherprocesses, and can be ignored. For example, the above mentioned ellipticcurve addition requires two multiplying operations, one squaringoperation, and one inversion operation in the GF(p^ m). These operationsare represented by 2M+1S+1I.

[0026] Normally, the computation time of the inversion in the GF(p^ m)is much longer than that of the multiplication and squaring. Therefore,in the actual scalar multiplication, projective coordinates are used inrepresenting a point on an elliptic curve. In the projective coordinatesystem, a point is represented by a combination of three elements in theGF(p^ m) such as (X:Y:Z). However, it is assumed that (X:Y:Z) is thesame point as (r×X:r×Y:r×Z) for the element r in the GF(p^ m) where r≠0.In the projective coordinate system, the Weierstrass form elliptic curveis represented as follows.

E:Y^ 2×Z=X^ 3+a×X×Z^ 2+b×Z^ 3

[0027] where x=X/Z, and y=Y/Z is substituted. The point at infinity isrepresented by ∞=(0:1:0). In the projective coordinate system, there arestandard algorithms in which the elliptic curve addition can be computedby 12M+2S, and the elliptic curve doubling can be computed by 7M+5S.Additionally, there are improved projective coordinate systems such asJacobian coordinates, Chudonovsky coordinates, modified Jacobiancoordinates, etc.

[0028] On the other hand, a group of points (u, v) satisfying theequation

B×^ 2=u^ 3+A×u^ 2+u

[0029] for the elements A and B in the GF(p^ m), and a group of thepoints referred to as points at infinity ∞ are referred to as aMontgomery form elliptic curve. In the projective coordinate system, apoint is represented as a set (U:V:W) of three elements in the GF(p^ m),and a curve is represented by the following equation.

B×V^ 2×W=U^ 3+A×U^ 2×W+U×W^ 2

[0030] The point at infinity is represented by ∞=(0:1:0). The formulasof elliptic curve addition and elliptic curve doubling as well as theWeierstrass form elliptic curve are well known.

[0031] Since the scalar multiplication on an elliptic curve isrepresented by a combination of arithmetics of the elliptic curveaddition (ECADD) and the elliptic curve doubling (ECDBL), the entirecomputation time is evaluated based on the number of times of thearithmetics performed. The computation of the point d×P processed by thescalar multiplication is performed using the binary expression of drepresented by the equation

d=d[n−1]×2^ (n−1)+d[n−2]×2^ (n−2)+ . . . +d[1]×2+d[0]

[0032]FIG. 3 shows the algorithm 1 of the conventional scalarmultiplication.

[0033] In FIG. 3, P indicates the initial value of the variable Q[0],the elliptic curve doubling is performed on the point Q[0] in step 3,and an arithmetic result is stored in the Q[0]. If d[i]==1, the ellipticcurve addition ECADD is performed on the point Q[0] and the point P instep 5, and the arithmetic result is stored in the point Q[0].

[0034] The computation time required in the scalar multiplication of thealgorithm 1 is (n−1)/2×E CADD+(n−1)×ECDBL on average. The binary methodcan be replaced with the signed binary method so as to shorten theaverage computation time into (n−1)/3×ECADD+(n−1)×ECDBL.

[0035] To make the elliptic curve cryptosystem be widespread in thecurrent world, it is necessary to save the resources (memory, circuitamount, etc.) required in the processing time and implementation. In theelliptic curve cryptosystem, an arithmetic referred to as scalarmultiplication is commonly used, and is more popularly used in theentire encryption and decryption process. Therefore, the performance ofthe entire encryption and decryption totally depend on the performanceof this portion. Since the scalar multiplication process is a majorprocess in the elliptic curve cryptosystem, it is desired that higherperformance can be realized by the scalar multiplication.

[0036] However, in the arithmetic method of the above mentionedalgorithm 1, it is necessary to perform the elliptic curve additionECADD based on the arithmetic result Q[0] of the elliptic curve doublingECDBL, and the shortening of the computation time of the scalarmultiplication is limited.

[0037] Furthermore, since the elliptic curve cryptosystem can guaranteethe security using a key length shorter than a conventionalcryptosystem, it has become widespread in such low-power devices assmart cards, etc. However, the side channel attacks can be effective onthese devices, and an algorithm of the scalar multiplication resistantto the attacks is required.

SUMMARY OF THE INVENTION

[0038] The object of the present invention is to perform the scalarmultiplication on the elliptic curve cryptosystem at a higher speed.Another object of the present invention is to improve the resistance tothe side channel attacks to the elliptic curve cryptosystem.

[0039] The elliptic curve cryptosystem apparatus according to thepresent invention performs the scalar multiplication on a natural numberand a base point P set on the elliptic curve E, and includes: a storageunit for storing an elliptic curve over the finite field as the ellipticcurve E, an n-bit natural number d, and the base point P; and anarithmetic unit for obtaining the d-multiplication point d×P of thepoint P in the scalar multiplication by the concurrent computation ofthe elliptic curve addition and the elliptic curve doubling.

[0040] According to the invention, the elliptic curve addition and theelliptic curve doubling can be concurrently performed. Therefore, thecomputation time for the scalar multiplication can be considerablyshortened.

[0041] Another elliptic curve cryptosystem apparatus according to thepresent invention includes: an obtaining unit for obtaining thecoordinates of the point P on an elliptic curve over the finite fieldand an n-bit natural number d; and an arithmetic unit for concurrentlyperforming the elliptic curve addition ECADD and the elliptic curvedoubling ECDBL when d×P is computed by repeating a predetermined numberof times the arithmetics (1) through (3) below based on the coordinateof the point P and the natural number d obtained by the obtaining unit.

Q[2]=ECADD(Q[0], Q[1])  (1)

Q[0]=ECDBL(Q[0])  (2)

Q[1]=Q[1+d[i]]  (3)

[0042] where the initial value of the variable Q[0] is P, the initialvalue of the variable Q[1] is 0, and the coefficient in the binaryexpression on the natural number d obtained by the obtaining unit isd[i](d[i]=0, 1).

[0043] According to the invention, the elliptic curve addition ECADD andthe elliptic curve doubling ECDBL can be concurrently performed.Therefore, the computation time for the scalar multiplication can beconsiderably shortened. Furthermore, for example, the elliptic curveaddition ECADD and the elliptic curve doubling ECDBL can be performedindependent of d[i] in the arithmetics (1) through (3) above, therebyimproving the resistance to the side attacks.

[0044] Furthermore, the elliptic curve cryptosystem apparatus accordingto the present invention includes an obtaining unit for obtaining thecoordinates of the point P on an elliptic curve over the finite fieldand an n-bit natural number d; and an arithmetic unit for concurrentlyperforming the elliptic curve addition ECADD and the elliptic curvedoubling ECDBL when d×P is computed by repeating a predetermined numberof times the arithmetics (1) through (3) below based on the coordinateof the point P and the natural number d obtained by the obtaining unit.

Q[2]=ECDBL(Q[d[i]])  (1)

Q[1]=ECADD(Q[0], Q[1])  (2)

Q[0]=Q[2−d[i]]  (3)

Q[1]=Q[1+d[i]]  (4)

[0045] where the initial value of the variable Q[0] is P, the initialvalue of the variable Q[1] is 2×P, and the coefficient in the binaryexpression on the natural number d obtained by the obtaining unit isd[i] (d[i]=0, 1).

[0046] According to the invention, the elliptic curve addition ECADD andthe elliptic curve doubling ECDBL can be concurrently performed.Therefore, the computation time for the scalar multiplication can beconsiderably shortened. Furthermore, for example, the elliptic curveaddition ECADD and the elliptic curve doubling ECDBL can be performedindependent of d[i] in the arithmetics (1) through (3) above, therebyimproving the resistance to the side attacks.

[0047] According to the above mentioned invention, the arithmetic unitincludes a first register for storing Q[0], and a second register forstoring Q[1]. After setting the initial value P of Q[0] in the firstregister, and the initial value 2×P of Q[1] in the second register, theelliptic curve addition ECADD and the elliptic curve doubling ECDBL areperformed. If d[i]=0, an arithmetic result of the elliptic curvedoubling ECDBL can be stored in the first register, and an arithmeticresult of the elliptic curve addition ECADD can be stored in the secondregister. If d[i]=1, an arithmetic result of the elliptic curve doublingECDBL can be stored in the second register, and an arithmetic result ofthe elliptic curve addition ECADD can be stored in the first register.

[0048] A further elliptic curve cryptosystem apparatus according to thepresent invention includes: an obtaining unit for obtaining the xcoordinate x1 of the point P1 on the elliptic curve over the finitefield, the x coordinate x2 of the point P2, and the x coordinate x3′ ofthe point P3′=P1−P2; and an arithmetic unit for computing the xcoordinate x3 of the point P3 in the elliptic curve addition P3=P1+P2without using the y coordinate by the following equation.

x3=[(x1×x2−a)^ 2−4×b×(x1+x2)]/[x3′×(x1−x2)^ 2]

[0049] According to the invention, the x coordinate of the point P3 ofthe elliptic curve addition can be computed without using the ycoordinates, thereby shortening the computation time.

[0050] A further elliptic curve cryptosystem apparatus according to thepresent invention includes: an obtaining unit for obtaining the xcoordinate x1 of the point P1 of the elliptic curve over the finitefield; and an arithmetic unit for computing the x coordinate x4 of theelliptic curve doubling P4=2×P1 without using the y coordinate by thefollowing equation.

x4=[(x1^ 2−a)^ 2−8×b×x1]/[4×(x1^ 3+a×x1+b)]

[0051] According to the invention, the x coordinate of the point P4 ofthe elliptic curve doubling can be computed without using the ycoordinates, thereby shortening the computation time.

[0052] A further elliptic curve cryptosystem apparatus of the presentinvention includes: an obtaining unit for obtaining the X coordinate X1and the Z coordinate Z1 of the point P1 in the projective coordinate onthe elliptic curve over the finite field, the X coordinate X2 and the Zcoordinate Z2 of the point P2, and the X coordinate X3′ and the Zcoordinate Z3′ of the point P3′=P1−P2; and an arithmetic unit forcomputing the x coordinate X3 and the Z coordinate Z3 of the ellipticcurve addition P3=P1+P2 in the projective coordinate without using the Ycoordinate by the equations (1) and (2) below based on the X coordinatesand the Z coordinates of the points P1, P2, and P3′ obtained by theobtaining unit.

X3=Z3′×[2(X1×Z2+X2×Z1)×(X1×X2+aZ1×Z2)+4bZ1^ 2×Z2^ 2]−X 3′×[(X1×Z2−X2×Z1)^ 2]  (1)

Z3=Z3′×[(X1×Z2−X2×Z1)^ 2]  (2)

[0053] where Z3′≠0, X1×Z2≠X2×Z1.

[0054] According to the invention, the X coordinate and the Z coordinatecan be computed in the projective coordinate of the elliptic curveaddition P3 without using the Y coordinate of the projective coordinate,thereby shortening the computation time.

[0055] A further elliptic curve cryptosystem apparatus according to thepresent invention includes: an obtaining unit for obtaining the Xcoordinate X1 and the Z coordinate Z1 in the projective coordinate ofthe point P1 on the elliptic curve over the finite field; and anarithmetic unit for computing the coordinate of the point P1 obtained bythe obtaining unit and the X coordinate X4 and the Z coordinate Z4 ofthe elliptic curve doubling P4=2×P1 in the projective coordinate withoutusing the Y coordinate by the equations (1) and (2) below.

X4=(X1^ 2−a×Z1^ 2)^ 2−8×b× X1×Z1^ 3; (^ indicates a power)  (1)

Z4=4×(X1×Z1×(X1^ 2+a×Z1^ 2)+b×Z1^ 4)  (2)

[0056] where Z1≠0.

[0057] According to the invention, the X coordinate and the Z coordinatecan be computed in the projective coordinate of the elliptic curvedoubling P4 without using the Y coordinate of the projective coordinate,thereby shortening the computation time.

BRIEF DESCRIPTION OF THE DRAWINGS

[0058]FIG. 1 is an explanatory view of an elliptic curve addition;

[0059]FIG. 2 is an explanatory view of an elliptic curve doubling;

[0060]FIG. 3 shows a program of the algorithm 1;

[0061]FIG. 4 shows a program of the algorithm 2;

[0062]FIG. 5 shows a program of the algorithm 3;

[0063]FIG. 6 is a flowchart of the elliptic curve cryptosystem program;

[0064]FIG. 7 shows a practical process of the algorithm 3;

[0065]FIG. 8 shows a practical arithmetic program according to the sixthembodiment of the present invention;

[0066]FIG. 9 shows a practical arithmetic program according to the sixthembodiment when Z3′=1;

[0067]FIG. 10 shows a practical arithmetic program according to theseventh embodiment;

[0068]FIG. 11 shows a practical arithmetic program according to theseventh embodiment when Z3′=1;

[0069]FIG. 12 shows a practical arithmetic program according to theeighth embodiment;

[0070]FIG. 13 shows a practical arithmetic program according to thetenth embodiment;

[0071]FIG. 14 shows an arithmetic program of ECADDDBL;

[0072]FIG. 15 shows the arithmetic program of the ECADDDBL when Z3′=1;

[0073]FIG. 16 shows an arithmetic program according to the fifteenthembodiment of the present invention; and

[0074]FIG. 17 shows the hardware environment for executing an arithmeticprogram according to the embodiments of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0075] The embodiments of the present invention are described below byreferring to the attached drawings. The elliptic curve cryptosystemapparatus according to an embodiment of the present invention comprises,for example, an information processing device exclusive for ellipticcurve cryptosystem, a personal computer, an IC chip built in an smartcard, etc., a mobile phone, a mobile information terminal device (PDA,etc.), a DVD player, etc., includes at least two processors, and has thefunction of concurrently performing the elliptic curve addition ECADDand the elliptic curve doubling ECDBL described later.

[0076] Described below is an arithmetic method for an elliptic curvecryptosystem according to the present invention applied to anWeierstrass form elliptic curve over the finite field GF(p^ m) with p^ melements (^ indicates a power).

[0077] An Weierstrass form elliptic curve E can be represented by thefollowing equation.

E:y^ 2=x^ 3+a×x+b

[0078]FIG. 4 shows the algorithm 2 for an arithmetic operation of thescalar multiplication d×P on an elliptic curve cryptosystem according tothe first embodiment of the present invention.

[0079] The point P on the elliptic curve E and the n-bit natural numberd are obtained (or input). The binary expression of the natural number dis assumed to be represented as follows.

d=d[n−1]×2^ (n−1)+d(n−2)×2^ (n−2)+ . . . +d[1]×2+d[0](d[n−1]≠0, d[i]=0,1)

[0080] In the first step S1, P is set as the initial value of thevariable Q[0], and 0 is set as the initial value of the variable Q[1].

[0081] In the next step S2, i is changed by 1 from 0 to n−1 each timethe loop is repeated.

[0082] In the next step S3, the elliptic curve addition ECADD of Q[0]and Q[1] is performed, and the arithmetic result is stored in Q[2].

[0083] In the next step S4, the elliptic curve doubling ECDBL isperformed on Q[0], and the arithmetic result is stored in Q[0].

[0084] In the next step S5, Q[1+d[i]] depending on the value of d[i],that is, Q[1] or Q[2], is stored in Q[1].

[0085] The processes in the above mentioned steps S2 through S5 arerepeated from i=0 to n−1, and Q[1] of the final arithmetic result isobtained as d×P.

[0086] The above mentioned algorithm 2 can independently compute theelliptic curve addition ECADD and the elliptic curve doubling ECDBL.

[0087] Therefore, the computation time of the scalar multiplication canbe shortened by concurrently computing the elliptic curve addition ECADDand the elliptic curve doubling ECDBL of the above mentioned algorithm 2using two processors.

[0088]FIG. 5 shows the algorithm 3 for computing the scalarmultiplication d×P of the elliptic curve cryptosystem according to thesecond embodiment of the present invention.

[0089] The point P on the elliptic curve E and an n-bit natural number dare input.

[0090] In the first step S1, P is set as the initial value of the Q[0],and 2×P is set as the initial value of the Q[1].

[0091] In the next step S2, i is changed by 1 from n−2 to 0 each timethe loop is repeated.

[0092] In the next step S3, the elliptic curve doubling ECDBL of Q[d[i]]is performed, and the arithmetic result is stored in Q[2].

[0093] In the next step S4, the elliptic curve doubling ECADD of Q[0]and Q[1] is performed, and the arithmetic result is stored in Q[1].

[0094] In the next step S5, Q[2−d[i]] is stored in Q[0].

[0095] In the next step S6, Q[1+d[i]] is stored in Q[1].

[0096] When d[i]=0, Q[2−d[i]] equals Q[2] in the process in step S5.Therefore, the arithmetic result of the elliptic curve doubling ECDBL,that is, Q[2], is stored in Q[0]. In this case, Q[1+d[i]] in the processin step S6 equals Q[1]. Therefore, the arithmetic result of the ellipticcurve addition ECADD, that is, Q[1], is stored in Q[1].

[0097] On the other hand, when d[i]=1, Q[2−d[i]] equals Q[1] in step S5.Therefore, the arithmetic result of the elliptic curve addition ECADD,that is, Q[1] is stored in Q[0]. In this case, Q[1+d[i]] in the processin step S6 equals Q[2]. Therefore, the arithmetic result of the ellipticcurve doubling ECDBL, that is, Q[2], is stored in Q[1].

[0098] According to the above mentioned algorithm 3, the elliptic curveaddition ECADD and the elliptic curve doubling ECDBL can beindependently performed. Therefore, the elliptic curve addition ECADDand the elliptic curve doubling ECDBL can be concurrently performedusing two processors to shorten the computation time required for thescalar multiplication.

[0099] Furthermore, the above mentioned algorithms 2 and 3 can improvethe resistance to the side channel attacks of encryption and decryptionas compared with the algorithm 1 because they can perform the ellipticcurve addition ECADD and the elliptic curve doubling ECDBL independentof d[i].

[0100]FIG. 6 is a flowchart of the elliptic curve cryptosystem programof the elliptic curve cryptosystem apparatus.

[0101] First, coefficients of the elliptic curve E, the base point P,and a receiver's public key are obtained (S11 shown in FIG. 6).

[0102] Then, the scalar multiplication is performed using the abovementioned algorithm 2 or 3 (S12).

[0103] Next, encrypted text is generated using the arithmetic result ofthe scalar multiplication (S13). Finally, the generated encrypted textis transmitted to the receiver (S14).

[0104] In an elliptic curve cryptosystem, the scalar multiplication isperformed on the private key s and the point P on the elliptic curve togenerate a public key.

[0105] An example of a practical process of the scalar multiplication(step S12 shown in FIG. 6) to be performed using the algorithm 3 isdescribed below by referring to FIG. 7.

[0106]FIG. 7 shows the contents of the processes when the elliptic curveaddition ECADD and the elliptic curve doubling ECDBL of the ellipticcurve cryptosystem program are concurrently performed based on thealgorithm 3 using two processors.

[0107] The elliptic curve cryptosystem apparatus comprises two registers11 and 12. The register 11 stores a variable Q[0], and the register 12stores a variable Q[1].

[0108] The initial value P of Q[0] and the initial value 2×P of Q[1] arerespectively set in the registers 11 and 12.

[0109] The first processor sets Q[d[i]] in Q[0] (S21 shown in FIG. 7),performs the elliptic curve doubling ECDBL on Q[0], and sets thearithmetic result in Q[0] (S22).

[0110] Then, another processor reads Q[0] stored in the register 11 andQ[1] stored in the register 12, performs the elliptic curve additionECADD on the points, and sets the arithmetic results in Q[1] (S23).

[0111] When d[i]=0, Q[0] is stored in the register 11, and Q[1] isstored in the register 12. When d[i]=1, the values of Q[0] and Q[1] areexchanged, and Q[0] is stored in the register 11 and Q[1] is stored inthe register 12 (S24).

[0112] The above mentioned process is repeated from i=n−2 to 0.

[0113] When the algorithm 3 is used, the concurrent computation of theECADD and the ECDBL can be performed in the scalar multiplication. Whenthe concurrent computation is performed, the total computation time is1×ECDBL+(n−1)×ECADD because the computation time of the ECADD isnormally longer than the computation time of the ECDBL, therebyconsiderably shortening the total computation time.

[0114] Described below is the third embodiment of the present invention.According to the third embodiment, the x coordinate of P3=P1+P2 isobtained by an elliptic curve addition having a multiplication element(x3 is obtained multiplied by x3′) without using y coordinates.

[0115] Assume that the Weierstrass form elliptic curve E defined in theGF(p^ m) (finite field with p elements where p indicates the number ofprime numbers equal to or larger than 5) is represented by

E:y^ 2=x^ 3+a×x+b

[0116] where a and b indicate the elements of the GF(p^ m), and 4×a^3+27×b ^ 2≠0.

[0117] The x coordinate x1 of the point P1 of the elliptic curve E, thex coordinate x2 of the point P2, and the x coordinate x3′ of P3′=P1−P2are obtained. The x coordinate of P3=P1+P2 is assumed to be x3.

[0118] (a) When P3′=∞, x3 is obtained as the x coordinate of theelliptic curve doubling 2×P1, and is output.

[0119] (b) When P3′≠∞, and x1=x2, the point at infinity ∞ is output.

[0120] (c) When P3′≠∞, and x1≠x2,

x3=[(x1×x2−a)^ 2−4×b×(x1+x2)]/[x3′×(x1−x2)^ 2]

[0121] The value of x3 is obtained by the equation above, and is output.

[0122] In the third embodiment of the present invention, the xcoordinate of the elliptic curve addition ECADD can be obtained withoutusing y coordinates, thereby simplifying the arithmetic program of theelliptic curve addition ECADD, and shortening the computation time.

[0123] Described below is the fourth embodiment of the presentinvention. According to the fourth embodiment, the x coordinate ofP3=P1+P2 is obtained by an elliptic curve addition having an element ofaddition (x3 is obtained added to x3′) without using y coordinates.

[0124] The x coordinate x1 of the point P1 on the Weierstrass formelliptic curve E, the x coordinate x2 of the point P2, and the xcoordinate x3′ of P3′=P1−P2 are obtained.

[0125] (a) When P3′=∞, x3 is obtained as the x coordinate of theelliptic curve doubling 2×P1, and is output.

[0126] (b) When P3′≠∞, and x1=x2, the point at infinity ∞ is output.

[0127] (c) When P3′≠∞, and x1=x2,

x3=[2×(x1+x2)×(x1×x2+a)+4×b]/[(x1−x2)^ 2]−x3′

[0128] The value of x3 is obtained by the equation above, and is output.

[0129] According to the fourth embodiment, the computation of the xcoordinate of the elliptic curve addition P3=P1+P2 can be performedwithout using a y coordinate, thereby simplifying the arithmetic programof the elliptic curve addition ECADD, and shortening the computationtime.

[0130] Described below is the fifth embodiment of the present invention.In the fifth embodiment, the x coordinate of the elliptic curve doublingP4=2×P1 is obtained without using y coordinates.

[0131] The x coordinate of the point P1 on the Weierstrass form ellipticcurve E is obtained.

[0132] The GF(p^ m) is defined as a finite field with p elements where pindicates a prime number equal to or larger than 5.

[0133] Assume that the Weierstrass form elliptic curve E defined in theGF(p^ m) is represented by the following equation.

E:y^ 2=x^ 3+a×x+b

[0134] where a and b indicate the elements of the GF(p^ m), and 4×a^3+27×b^ 2≠0.

[0135] (a) When P1=∞, a point at infinity ∞ is output.

[0136] (b) When P1≠∞, x4 is computed by the following equation.

x4=[(x1^ 2−a)^ 2−8×b×x1]/[4×(x1^ 3+a×x1+b)]

[0137] According to the fifth embodiment, the elliptic curve doublingcan be performed without using y coordinates, thereby simplifying theelliptic curve doubling, and shortening the computation time.

[0138] Described below is the sixth embodiment of the present invention.According to the sixth embodiment, a multiplicative elliptic curveaddition is performed to obtain an X coordinate and a Z coordinate ofP3=P1+P2 without using Y coordinates in the projective coordinatesystem.

[0139] The X coordinates of the points P1, P2, and P3′=P1−P2 on theWeierstrass form elliptic curve E over the finite field GF(p^ m) areinput.

[0140] The finite field GF(p^ m) and the Weierstrass form based on whichthe processes are performed are the same as in the above mentionedembodiments.

[0141] The X coordinate X1 and the Z coordinate Z1 in the projectivecoordinate system of the point P1 on the elliptic curve E, the Xcoordinate X2 and the Z coordinate Z2 of the point P2, the X coordinateX3′ and the Z coordinate Z3′ of the point P3′, and the X coordinate X3and the Z coordinate Z3 of P3=P1+P2 are obtained.

[0142] (a) When Z3′=0, the arithmetic results of X4 and Z4 from theelliptic curve doubling 2×P1 are output as X3 and Z3.

[0143] (b) When Z3′≠0 and X1×Z2=X2×Z1, X3=0 and Z3=0 are output.

[0144] (c) When Z3′≠0 and X1×Z2≠X2×Z1, the following equations hold.

X3=Z3′×[(X1×X2−a×Z1×Z2)^ 2−4×b×Z1×Z2×(X1×Z2+X2×Z1)]  (1A)

Z3=X3′×[(X1×Z2−X2×Z1)^ 2]  (2A)

[0145] By the equations (1A) and (2A) above, the X coordinate X3 and theZ coordinate Z3 in the projective coordinate of P3 are computed.

[0146] According to the above mentioned sixth embodiment, the ellipticcurve addition can be performed without using Y coordinates of theprojective coordinate system, thereby simplifying the arithmetic programand shortening the computation time.

[0147]FIG. 8 shows an example of a practical arithmetic programaccording to the sixth embodiment.

[0148] The arithmetic program shown in FIG. 8 realizes the arithmeticsby the equations (1A) and (2A) according to the sixth embodiment, andincludes the following processes.

[0149] (1) The multiplication of the X coordinate X1 of the point P1 andthe X coordinate X2 of the point P2 is performed, and the result is setin T1 comprising memory or a register (the same in the following items).

[0150] (2) The multiplication of the Z coordinate Z1 of the point P1 andthe Z coordinate Z2 of the point P2 is performed, and the result is setin T2.

[0151] (3) The multiplication of X1 and Z2 is performed, and the resultis set in T3.

[0152] (4) The multiplication of X2 and Z1 is performed, and the resultis set in T4.

[0153] (5) T2 is multiplied by a, and the result is set in T5.

[0154] (6) T5 is subtracted from T1, and the result is set in T6. Thisprocess corresponds to the arithmetic of “X1×X2−a×Z1×Z2”.

[0155] (7) T6 is squared, and the result is set in T7. This processcorresponds to the arithmetic of “(X1×X2−a×Z1×Z2)^ 2” in the equation(1A) above.

[0156] (8) T2 is multiplied by b, and the result is set in T8.

[0157] (9) T8 is multiplied by 4, and the result is set in T9.

[0158] (10) T3 is added to T4, and the result is set in T10.

[0159] (11) The multiplication of T9 and T10 is performed, and theresult is set in T11.

[0160] (12) T11 is subtracted from T7, and the result is set in T12.

[0161] (13) The multiplication of Z3′ and T12 is performed, and theresult is set as X3. Thus, the coordinate of X3 in the equation (1A)above is obtained.

[0162] (14) T4 is subtracted from T3, and the result is set in T13.

[0163] (15) T13 is squared, and the result is set in T14.

[0164] (16) The multiplication of X3′ and T14 is performed, and theresult is set as Z3. Thus, the coordinate of Z3 in the equation (2A)above is obtained.

[0165] In the above mentioned arithmetic program, the X coordinate andthe Z coordinate of the point P3 of the elliptic curve addition P3=P1+P2in the projective coordinate system can be computed by nine multiplyingoperations, two squaring operations, and several adding, subtracting,and constant multiplying operations.

[0166]FIG. 9 shows a practical arithmetic program by the equations (1A)and (2A) according to the sixth embodiment when Z3′=1.

[0167] In this case, since Z3′=1, it is not necessary to perform themultiplication of “Z3′×T12” of the arithmetic program (13) shown in FIG.8.

[0168] Therefore, in the arithmetic program shown in FIG. 9, the Xcoordinate X3 and the Z coordinate Z3 of the point P3 of the ellipticcurve addition in the projective coordinate system can be computed byeight multiplying operations, two squaring operations, and severaladding, subtracting, and constant multiplying operations.

[0169] Described below is the seventh embodiment of the presentinvention. According to the seventh embodiment, the X coordinate X3 andthe Z coordinate Z3 of the elliptic curve addition P3=P1+P2 can beobtained without using Y coordinates.

[0170] According to the seventh embodiment,

[0171] (a) When Z3′=0, the arithmetic results of X4 and Z4 from theelliptic curve doubling 2×P1 are output as X3 and Z3.

[0172] (b) When Z3′≠0 and X1×Z2=X2×Z1, X3=0 and Z3=0 are output.

[0173] (c) When Z3′≠0 and X1×Z2≠X2×Z1, the following equations hold.

X3=Z3′×[2×(X1×Z2+X2×Z1)×(X1×X2+a×Z1×Z2)+4×b×Z1^ 2×Z2^2]−X3′×[(X1×Z2−X2×Z1)^ 2]  (1A)

Z3=Z3′×[(X1×Z2−X2×Z1)^ 2]  (2A)

[0174] By the equations (1A) and (2A), the X coordinate X3 and the Zcoordinate Z3 of the elliptic curve addition P3=P1+P2 can be obtained.

[0175] According to the seventh embodiment, the X coordinate X3 and theZ coordinate Z3 of the elliptic curve addition P3=P1+P2 can be computedwithout using Y coordinates in the projective coordinate system, therebyshortening the computation time.

[0176]FIG. 10 shows the arithmetic program by the equations (1A) and(2A) according to the seventh embodiment, and comprises the followingprocesses.

[0177] (1) The multiplication of the X coordinate X1 of the point P1 andthe X coordinate X2 of the point P2 is performed, and the result is setin T1 comprising memory or a register.

[0178] (2) The multiplication of the Z coordinate Z1 of the point P1 andthe Z coordinate Z2 of the point P2 is performed, and the result is setin T2.

[0179] (3) The multiplication of X1 and Z2 is performed, and the resultis set in T3.

[0180] (4) The multiplication of X2 and Z1 is performed, and the resultis set in T4.

[0181] (5) T3 is added to T4, and the result is set in T5.

[0182] (6) T2 is multiplied by a, and the result is set in T6.

[0183] (7) T1 is added to T6, and the result is set in T7.

[0184] (8) The multiplication of T5 and T7 is performed, and the resultis set in T8. This process corresponds to the arithmetic of“(X1×Z2+X2×Z1)×(X1×X2+a×Z1×Z2).

[0185] (9) T8 is multiplied by 2, and the result is set in T9.

[0186] (10) T2 is squared, and the result is set in T10.

[0187] (11) T10 is multiplied by b, and the result is set in T11.

[0188] (12) T11 is multiplied by 4, and the result is set in T12.

[0189] (13) T9 is added to T12, and the result is set in T13.

[0190] (14) T4 is subtracted from T3, and the result is set in T14.

[0191] (15) T14 is squared, and the result is set in T15.

[0192] (16) The multiplication of Z3′ and T13 is performed, and theresult is set in T16.

[0193] (17) The multiplication of X3′ and T15 is performed, and theresult is set in T17.

[0194] (18) T17 is subtracted from T16, and the result is obtained asthe X coordinate X3 in the projective coordinate system.

[0195] (19) The multiplication of Z3′ and T15 is performed, and theresult is obtained as the Z coordinate Z3 in the projective coordinatesystem.

[0196] In the above mentioned arithmetic program, the X coordinate X3and the Z coordinate Z3 of the point P3 of the elliptic curve additionP3=P1+P2 in the projective coordinate system can be computed by tenmultiplying operations, two squaring operations, and several adding,subtracting, and constant multiplying operations.

[0197]FIG. 11 shows a practical arithmetic program by the equations (1A)and (2A) according to the seventh embodiment when Z3′=1.

[0198] In this case, since Z3′=1, it is not necessary to perform theprocesses of “Z3′×T13” (16) and “Z3′×T15” (19) of the arithmetic programshown in FIG. 10. Therefore, in the arithmetic program shown in FIG. 11,the X coordinate X3 and the Z coordinate Z3 of the point P3 of theelliptic curve addition in the projective coordinate system can becomputed by eight multiplying operations, two squaring operations, andseveral adding, subtracting, and constant multiplying operations.

[0199] Described below is the eighth embodiment of the presentinvention. According to the eighth embodiment, the X coordinate X4 andthe Z coordinate Z4 of the elliptic curve doubling P4=2×P1 can beobtained without using Y coordinates.

[0200] The X coordinate X1 and the Z coordinate Z1 of the point P1 onthe Weierstrass form elliptic curve E in the GF(p^ m) are input. TheWeierstrass form elliptic curve E is represented by the followingequation.

E:Y^ 2×Z=X^ 3+a×X×Z^ 2+b×Z^ 3

[0201] The X coordinate X1 and the Z coordinate Z1 of the point P1 onthe elliptic curve E and the X coordinate X4 and the Z coordinate Z4 ofP4=2×P1 are obtained.

[0202] (a) When Z1=0, X4=0 and Z4=0 are output.

[0203] (b) When Z1≠0, the following equations hold.

X4=(X1^ 2−a×Z1^ 2)^ 2−8×b×X1×Z1^ 3  (1A)

Z4=4×(X1×Z1×(X1^ 2+a×Z1^ 2)+b×Z1^ 4)  (1B)

[0204] By the equations (1A) and (2A) above, the X coordinate X4 and theZ coordinate Z4 of the point P4 in the elliptic curve doubling in theprojective coordinate system can be obtained.

[0205] According to the eighth embodiment, the X coordinate X4 and the Zcoordinate Z4 of the elliptic curve doubling P4=2×P1 can be computedwithout using Y coordinates in the projective coordinate system, therebyshortening the computation time.

[0206]FIG. 12 shows an example of a practical arithmetic program by theequations (1A) and (2A) according to the eighth embodiment, and includesthe following processes.

[0207] (1) The X coordinate X1 of the point P1 in the projectivecoordinate system is squared, and the result is set in T1.

[0208] (2) Similarly, the Z coordinate Z1 of the point P1 in theprojective coordinate system is squared, and the result is set in T2.

[0209] (3) T2 is multiplied by a, and the result is set in T3.

[0210] (4) T3 is subtracted from T1, and the result is set in T4.

[0211] (5) T4 is squared, and the result is set in T5.

[0212] (6) T2 is multiplied by b, and the result is set in T6.

[0213] (7) The multiplication of the X coordinate X1 of the point P1 andthe Z coordinate Z1 is performed, and the result is set in T7.

[0214] (8) The multiplication of T6 and T7 is performed, and the resultis set in T8.

[0215] (9) T8 is multiplied by 8, and the result is set in T9.

[0216] (10) T9 is subtracted from T5, and the result is obtained as theX coordinate X4 of the point P4.

[0217] (11) T1 is added to T3, and the result is set in T10.

[0218] (12) The multiplication of T7 and T10 is performed, and theresult is set in T11.

[0219] (13) The multiplication of T6 and T2 is performed, and 11 resultis set in T12.

[0220] (14) T11 is added to T12, and the result is set in T13.

[0221] (15) T13 is multiplied by 4, and the result is obtained as the Zcoordinate Z4 of the point P4.

[0222] In the arithmetic program, the X coordinate X4 and the Zcoordinate Z4 of the elliptic curve doubling P4=2×P1 can be computed bysix multiplying operations, three squaring operations, and severaladding, subtracting, and constant multiplying operations, therebyshortening the total computation time.

[0223] Described below is the ninth embodiment of the present invention.According to the ninth embodiment, the x coordinate and the y coordinateof the point P of the elliptic curve E, and the x coordinates of thepoints P[d] and P[d+1] are obtained, and the y coordinate of the pointP[d] is computed.

[0224] The x coordinate and the y coordinate of the point P of theWeierstrass form elliptic curve E in the GF(p^ m), and the x coordinatesx[d] and x[d+1] of the points P[d] and P[d+1] are obtained. TheWeierstrass form elliptic curve E is represented by the followingequation.

E:y^ 2=x^ 3+a×x+b,

[0225] where a and b are elements of the GF(p^ m), 4×a^ 3+27×b^ 2≠0

[0226] Assume for the point P=(x, y) of the elliptic curve E, the xcoordinate of P[d]=d×P is x[d], and the x coordinate of P[d+1]=(d+1)×Pis x[d+1].

y[d]=[y^ 2+x[d]^ 3+a×x[d]+b−(x−x[d])^ 2×(x+x[d]+x[d+1])]/[2×y]

[0227] The y coordinate y[d] of the point P[d] can be obtained by theequation above.

[0228] According to the ninth embodiment, the points P[d] and P[d+1] arecomputed without using y coordinates in the above mentioned computingmethod, and the y coordinate y[d] of the point P[d] can be obtainedusing the x coordinates, thereby shortening the computation time.

[0229] Described below is the tenth embodiment of the present invention.According to the tenth embodiment, after obtaining the X coordinate andthe Z coordinate of the P[d] and P[d+1] in the projective coordinatesystem, the Y coordinate of the P[d] in the projective coordinate isobtained.

[0230] The x coordinate and the y coordinate of the point P on theWeierstrass form elliptic curve E in the GF(p^ m), and the X coordinateand the Z coordinate of the points P[d] and P[d+1] in the projectivecoordinate system are obtained.

[0231] Assume that the Weierstrass form elliptic curve defined in theGF(p^ m) is represented as follows.

E:Y^ 2×Z=X^ 3+a×X×Z^ 2+b×Z^ 3

[0232] where a and b are the elements of the GF(p^ m), and 4×a^ 3+27×b^2≠0.

[0233] Assume the point P=(x, y) on the elliptic curve E, the Xcoordinate of P[d]=d×P in the projective coordinate system is X[d], andthe Z coordinate is Z[d], the X coordinate of P[d+1]=(d+1)×P in theprojective coordinate system is X[d+1], and the Z coordinate is Z[d+1].The projective coordinates are X′[d]=r×X[d], Y′[d]=r×Y[d], andZ′[d]=r×Z[d]. The value of the denominator of Y[d] is set as r.

[0234] The projective coordinate of P[d] can be represented by thefollowing equation.

X′[d]=2×y×Z[d]^ 2×Z[d+1]×X[d]  (1A)

Y′[d]=Z[d+1]×(y^ 2×Z[d]^ 3+×X[d]^ 3+a×X[d]×Z[d]^ 2+b×Z [d]^3)−(x×Z[d]−X[d])^ 2×(x×Z[d]×Z[d+1]+X[d]×Z[d+1]+X[d+ 1]×Z[d])  (2A)

Z′[d]=2×y×Z[d]^ 2×Z[d+1]×Z[d]  (3A)

[0235] By the equation (2A) above, the Y coordinate of P[d] in theprojective coordinate system can be computed by an equation notcontaining a division. In the projective coordinate system,(X[d]:Y[d]:Z[d]) equals (X′[d]:Y′[d]:Z′[d]) obtained by multiplying eachof the original elements by r. Therefore, the Y coordinate of P[d] canbe obtained from the above mentioned result.

[0236] According to the tenth embodiment, the Y coordinate of the pointP[d] of the scalar multiplication can be obtained in the projectivecoordinate system without a dividing operation, thereby shortening thecomputation time.

[0237]FIG. 13 shows an example of a practical arithmetic programaccording to the tenth embodiment of the present invention. Thearithmetic program comprises the following processes.

[0238] (1) The Z coordinate Z[d] of the point P[d] is squared, and theresult is set in T1.

[0239] (2) The multiplication of T1 and Z[d+1] is performed, and theresult is set in T2. This process corresponds to the arithmetic of“Z[d]^ 2×Z[d+1]”.

[0240] (3) The multiplication of the Y coordinate y of the point P andT2 is performed, and the result is set in T3. This process correspondsto the arithmetic of “y×Z[d]^ 2×Z[d+1]”.

[0241] (4) The multiplication of the X coordinate X[d] of P[d] in theprojective coordinate system and T3 is performed, and the result is setin T4. This process corresponds to the arithmetic of “y×Z[d]^2×Z[d+1]×X[d]”.

[0242] (5) T4 is multiplied by 2, and the result is set in X′[d].

[0243] (6) The multiplication of the Z coordinate Z[d] of P[d] in theprojective coordinate system and T3 is performed, and the result is setin T5. This process corresponds to the arithmetic of “y×Z[d]^2×Z[d+1]×Z[d]”.

[0244] (7) T5 is multiplied by 2, and the result is set in Z′[d].

[0245] (8) X[d] is squared, and the result is set in T6.

[0246] (9) T1 is multiplied by a, and the result is set in T7.

[0247] (10) T6 is added to T7, and the result is set in T8.

[0248] (11) The multiplication of X[d] and the Z coordinate Z[d+1] ofthe point P[d+1] is performed, and the result is set in T9.

[0249] (12) The multiplication of T9 and T8 is performed, and the resultis set in T10. This process corresponds to the arithmetic of“X[d]×Z[d+1]×(X[d]^ 2+a×Z[d]^ 2)”.

[0250] (13) The multiplication of y and T5 is performed, and the resultis set in T11. This process corresponds to the arithmetic of “y^ 2×Z[d]^3×Z[d+1]”.

[0251] (14) Z[d] is multiplied by b, and the result is set in T12.

[0252] (15) The multiplication of T12 and T2 is performed, and theresult is set in T13. This process corresponds to the arithmetic of“b×Z[d]^ 3×Z[d+1]”.

[0253] (16) The multiplication of x and Z[d] is performed, and theresult is set in T14.

[0254] (17) X[d] is subtracted from T14, and the result is set in T15.This process corresponds to the arithmetic of “x×Z[d]−X[d]”.

[0255] (18) T15 is squared, and the result is set in T16. This processcorresponds to the arithmetic of “(x×Z[d]−X[d])^ 2”.

[0256] (19) The multiplication of T14 and Z[d+1] is performed, and theresult is set in T17. This process corresponds to the arithmetic of“x×Z[d]×Z[d+1]”.

[0257] (20) The multiplication of X[d+1] and Z[d] is performed, and theresult is set in T18.

[0258] (21) T17, T9, and T18 are added up, and the result is set in T19.

[0259] (22) The multiplication of T16 and T19 is performed, and theresult is set in T20.

[0260] (23) T20 is subtracted from the sum of T10, T11, and T13, and theresult is set in Y′[d]. Thus, the Y coordinate Y′[d] of the point P[d]in the projective coordinate system can be obtained.

[0261] The above mentioned arithmetic program can be realized byfourteen multiplying operations, three squaring operations, and severaladding, subtracting, and constant multiplying operations.

[0262] Described below is the eleventh embodiment of the presentinvention. The eleventh embodiment performs the arithmetic of P[d]=d×Pby using the arithmetic method of a multiplicative elliptic curveaddition without using Y coordinates according to the third embodiment,the arithmetic method of the elliptic curve doubling without using Ycoordinates according to the fifth embodiment, and the arithmetic methodfor obtaining the coordinates (X′[d]:Y′[d]:Z′[d]) of P[d] in theprojective coordinate according to the ninth embodiment.

[0263] In the eleventh embodiment, the x coordinate and the y coordinateof the point P on the elliptic curve E in the GF(p^ m), and n-bits ofnatural number d are input, and the algorithm 3 shown in FIG. 5 is usedwith the initial value Q[0]=P, and Q[1]=0.

[0264] That is, the elliptic curve addition ECADD in the algorithm 3shown in FIG. 5 is performed in the arithmetic method of themultiplicative elliptic curve addition without using y coordinatesaccording to the third embodiment, and the elliptic curve doubling ECDBLis performed in the arithmetic method of the elliptic curve doublingwithout using y coordinates according to the fifth embodiment. Then,after completing the loop according to the algorithm 3, the equationsx[d]=Q[0] and x[d+1]=Q[1] are set, and the y coordinate y[d] of P[d] iscomputed from the x coordinates x[d] and x[d+1] of the point P[d] andP[d+1] in the arithmetic program of the ninth embodiment.

[0265] Described below is the twelfth embodiment of the presentinvention. The twelfth embodiment performs to compute P[d]=d×P by usingthe arithmetic method of an additive elliptic curve addition withoutusing y coordinates according to the fourth embodiment, the arithmeticmethod of the elliptic curve doubling without using y coordinatesaccording to the fifth embodiment, and the arithmetic method forcomputing y coordinates according to the ninth embodiment.

[0266] According to the twelfth embodiment of the present invention, thecoordinate of the point P on the elliptic curve E and n-bit naturalnumber d are input, the elliptic curve addition ECADD in the arithmeticprogram of the algorithm 3 shown in FIG. 5 is performed in thearithmetic method of the additive elliptic curve addition without usingy coordinates according to the fourth embodiment, and the elliptic curvedoubling ECDBL is performed in the arithmetic method of the ellipticcurve doubling without using y coordinates according to the fifthembodiment. After completing the loop according to the algorithm 3, theequations x[d]=Q[0] and x[d+1]=Q[1] are set, and the y coordinate y[d]of P[d] is computed from the x coordinates x[d] and x[d+1] of the pointP[d] and P[d+1] in the arithmetic program of the ninth embodiment.

[0267] Described below is the thirteenth embodiment of the presentinvention. The thirteenth embodiment performs to compute P[d]=P×d byusing the arithmetic method of a multiplicative elliptic curve additionwithout using Y coordinates in the projective coordinate systemaccording to the sixth embodiment, the arithmetic method of the ellipticcurve doubling without using Y coordinates in the projective coordinatesystem according to the eighth embodiment, and the arithmetic method forobtaining the coordinates (X′[d]:Y′[d]:Z′[d]) of P[d] in the projectivecoordinate according to the tenth embodiment.

[0268] According to the thirteenth embodiment, the X coordinate and theY coordinate of the point P on the elliptic curve E, and n-bit naturalnumber d are input, the initial value Q[0]=(X:Z), Q[1]=(0:1) are set,and the arithmetic program of the algorithm 3 shown in FIG. 5 is used.The coordinates of the point P in the projective coordinate system are(X:Y:Z).

[0269] The elliptic curve addition ECADD of the arithmetic program ofthe algorithm 3 shown in FIG. 5 is performed in the arithmetic method ofthe multiplicative elliptic curve addition without using Y coordinatesin the projective coordinate system according to the sixth embodiment,and the elliptic curve doubling ECDBL is performed in the arithmeticmethod of the elliptic curve doubling without using Y coordinates in theprojective coordinate system according to the eighth embodiment of thepresent invention.

[0270] When the loop of the algorithm 3 is completed, X′[d], Y′[d], andZ′[d] are computed in the arithmetic method according to the tenthembodiment with X[d] set as the first element (X element) of Q[0], Z[d]set as the second element (Z element) of Q[0], X[d+1] set as the firstelement (X element) of Q[1], and Z[d+1] set as the second element (Zelement) of Q[1]. Furthermore, the X coordinate and the Y coordinate ofthe point P[d] are computed with x[d]=X′[d]/Z′[d] and y[d]=Y′[d]/Z′[d].

[0271] In the above mentioned thirteenth embodiment, the elliptic curveaddition ECADD of the algorithm 3 can be performed by the arithmeticprogram of the elliptic curve addition according to the sixth embodimentshown in FIG. 8, and the elliptic curve doubling ECDBL can be performedby the arithmetic program of the elliptic curve doubling according tothe eighth embodiment shown in FIG. 12. After the loop of the algorithm3 is completed, the computation of the coordinates (X′[d]:Y′[d]:Z′[d])of the point P[d] in the projective coordinate system can be performedby the arithmetic program for computing the projective coordinate in thetenth embodiment shown in FIG. 13.

[0272] In this case, the computation in each loop of the algorithm 3 canbe realized by fifteen multiplying operations, five squaring operations,and several adding, subtracting, and constant multiplying operations.

[0273] When Z=1, the elliptic curve addition ECADD of the algorithm 3can be performed by the arithmetic program shown in FIG. 11 instead ofexecuting the arithmetic program shown in FIG. 8. Other arithmeticoperations are the same as those described above.

[0274] In this case, the computation in each loop of the algorithm 3 canbe realized by fourteen multiplying operations, five squaringoperations, and several adding, subtracting, and constant multiplyingoperations.

[0275] Described below is the fourteenth embodiment of the presentinvention. The fourteenth embodiment performs to compute P[d]=P×d byusing the arithmetic method of a additive elliptic curve additionwithout using Y coordinates in the projective coordinate systemaccording to the seventh embodiment, the arithmetic method of theelliptic curve doubling without using Y coordinates in the projectivecoordinate system according to the eighth embodiment, and the arithmeticmethod for obtaining the coordinates (X′[d]:Y′[d]:Z′[d]) of P[d] in theprojective coordinate according to the tenth embodiment.

[0276] According to the fourteenth embodiment, the X coordinate and theY coordinate of the point P on the elliptic curve E, and n-bit naturalnumber d are input, the initial value Q[0]=(X:Z), Q[1]=(0:1) are set,and the arithmetic program of the algorithm 3 shown in FIG. 5 is used.The coordinates of the point P in the projective coordinate system are(X:Y:Z).

[0277] The elliptic curve addition ECADD of the arithmetic program ofthe algorithm 3 shown in FIG. 5 is performed in the arithmetic method ofthe additive elliptic curve addition without using Y coordinates in theprojective coordinate system according to the seventh embodiment, andthe elliptic curve doubling ECDBL is performed in the arithmetic methodof the elliptic curve doubling without using Y coordinates in theprojective coordinate system according to the eighth embodiment of thepresent invention. The subsequent arithmetic process is the same as thatpreformed after the completion of the loop of the algorithm 3 accordingto the above mentioned thirteenth embodiment.

[0278] In these processes, P[d]=(X′[d]:Y′[d]:Z′[d]) can be computed.

[0279] In the above mentioned fourteenth embodiment, the elliptic curveaddition ECADD of the algorithm 3 is performed by the arithmetic programof the elliptic curve addition without using Y coordinates in theprojective coordinate system shown in FIG. 10 (seventh embodiment), andthe elliptic curve doubling ECDBL can be performed by the arithmeticprogram of the elliptic curve doubling without using Y coordinates inthe projective coordinate system shown in FIG. 12 (eighth embodiment).After the completion of the loop of the algorithm 3, the computation ofthe coordinate (X′[d]:Y′[d]:Z′[d]) of the point P[d] in the projectivecoordinate system can be performed by the arithmetic program forcomputing P[d]=(X′[d]:Y′[d]:Z′[d]) shown in FIG. 13.

[0280] In this case, the computation in each loop of the algorithm 3 canbe realized by sixteen multiplying operations, five squaring operations,and several adding, subtracting, and constant multiplying operations.

[0281] When Z=1, the arithmetic program shown in FIG. 10 can be replacedwith the arithmetic program shown in FIG. 11.

[0282] In this case, the computation in each loop of the algorithm 3 canbe realized by fourteen multiplying operations, five squaringoperations, and several adding, subtracting, and constantmultiplication.

[0283]FIG. 14 shows an example of an arithmetic program ECADDDBLobtained by summarizing the common elements of the elliptic curveaddition ECADD and elliptic curve doubling ECDBL according to the fourthembodiment. The arithmetic program comprises the following processes.

[0284] (1) The multiplication of the X coordinate X1 of the point P1 inthe projective coordinate system and the X coordinate X2 of the point P2in the projective coordinate system is performed, and the result is setin T1 comprising memory or a register (the same in the following items).

[0285] (2) The multiplication of the Z coordinate Z1 of the point P1 andthe Z coordinate Z2 of the point P2 is performed, and the result is setin T2.

[0286] (3) The multiplication of X1 and Z2 is performed, and the resultis set in T3.

[0287] (4) The multiplication of X2 and Z1 is performed, and the resultis set in T4.

[0288] (5) T3 is added to T4, and the result is set in T5.

[0289] (6) T2 is multiplied by a, and the result is set in T6.

[0290] (7) T1 is added to T6, and the result is set in T7.

[0291] (8) The multiplication of T5 and T7 is performed, and the resultis set in T8. This process corresponds to the arithmetic of“(X1×Z2+X2×Z1)(X1×X2+a×Z1×Z2)”.

[0292] (9) T8 is multiplied by 2, and the result is set in T9.

[0293] (10) T2 is squared, and the result is set in T10. This processcorresponds to the arithmetic of “Z1^ 2×Z2^ 2”.

[0294] (11) T10 is multiplied by b, and the result is set in T11.

[0295] (12) T11 is multiplied by 4, and the result is set in T12.

[0296] (13) T9 is added to T12, and the result is set in T13. Thisprocess corresponds to the arithmetic of2×(X1×Z2+X2×Z1)(X1×X2+a×Z1×Z2)+4×b×Z1^ 2×Z2^ 2).

[0297] (14) T4 is subtracted from T3, and the result is set in T14. Thisprocess corresponds to X1×Z2−X2×Z1.

[0298] (15) T14 is squared, and the result is set in T15. This processcorresponds to the arithmetic of “(X1×Z2−X2×Z1)^ 2”.

[0299] (16) The multiplication of Z3′ and T13 is performed, and theresult is set in T16.

[0300] (17) The multiplication of X3′ and T15 is performed, and theresult is set in T17.

[0301] (18) T17 is subtracted from T16, and the result is set in X3.

[0302] (19) The multiplication of Z3′ and T15 is performed, and theresult is set in Z3.

[0303] (20) T3 is squared, and the result is set in T21. This processcorresponds to the arithmetic of “X1^ 2×2^ 2”.

[0304] (21) The multiplication of T6 and T2 is performed. The processcorresponds to the arithmetic of “a×Z1^ 2×Z2^ 2”.

[0305] (22) T22 is subtracted from T21, and the result is set in T23.This process corresponds to “X1^ 2×Z2^ 2−a×Z1^ 2×Z2^ 2”.

[0306] (23) T23 is squared, and the result is set in T24. This processcorresponds to the arithmetic of “(X1^ 2×Z2^ 2−a×Z1^ 2×Z2^ 2)^ 2”.

[0307] (24) T11 is set in T25.

[0308] (25) T25 is multiplied by T2, and the result is set in T26. Thisprocess corresponds to the arithmetic of “b×Z1^ 3×Z2^ 3”.

[0309] (26) The multiplication of T26 and T3 is performed, and theresult is set in T27. The process corresponds to “b×X1×Z1^ 3×Z2^ 4”.

[0310] (27) T27 is multiplied by 8, and the result is set in T28. Thisprocess corresponds to the arithmetic of “8×b×X1×Z1^ 3×Z2^ 4”.

[0311] (28) T28 is subtracted from T24, and the result is set in X4.

[0312] (29) T21 is added to T22, and the result is set in T29. Thisprocess corresponds to the arithmetic of “X1^ 2×Z2^ 2+a×Z1^ 2×Z2^ 2”.

[0313] (30) The multiplication of T3 and T29 is performed, and theresult is set in T30. The process corresponds to the arithmetic of“X1×Z2(X1^ 2×Z2^ 2+a×Z1^ 2×Z2^ 2)”.

[0314] (31) T30 is added to T26, and the result is set in T31.

[0315] (32) The multiplication of T2 and T31 is performed, and theresult is set in T32.

[0316] (33) T32 is multiplied by 4, and the result of Z4 is obtained.

[0317] Using the above mentioned arithmetic program, the coordinates(X′[d]:Y′[d]:Z′[d]) of the P[d] in the projective coordinate system canbe computed.

[0318] In this case, the computation of each loop of the algorithm 3 canbe realized by fourteen multiplying operations, five squaringoperations, and several adding, subtracting, and constant multiplicationin the GF(p^ m).

[0319]FIG. 15 shows an example of an arithmetic program of ECADDDBL whenZ3′=1.

[0320] In this case, the computation of each loop of the algorithm 3 canbe realized by thirteen multiplying operations, four squaringoperations, and several adding, subtracting, and constantmultiplication.

[0321] Described below is the fifteenth embodiment of the presentinvention. In the fifteenth embodiment, the coordinates (u, v) of thepoint P on the Montgomery form elliptic curve E, the U coordinate and Vcoordinate of the point P[d] and P[d+1] in the projective coordinatesystem are obtained or input. Assume U[d] as the U coordinate of thepoint P[d]=d×P in the projective coordinate system; and W[d] as the Wcoordinate. U[d+1] as the U coordinate of the point P[d+1]=(d+1)×P inthe projective coordinate; and W[d+1] as the W coordinate.

[0322] Assume that the Montgomery form elliptic curve E as follows.

B×V^ 2×W=U^ 3+A×U^ 2×W+U×W^ 2

[0323] where A and B indicate the elements of GF(p^ m), and B (A^2−4)≠0.

U′[d]=4Bv×U[d+1]×W[d+1]×W[d]×U[d]  (1A)

V′[d]=(u×U[d]−W[d])^ 2×W[d+1]^ 2−(U[d]−u×W[d])^ 2×U[d+1]^ 2; (^indicates a power)  (2A)

W′[d]=4Bv×U[d+1]×W[d+1]×W[d]^ 2  (3A)

[0324] By the equations (1A) through (3A) above, the coordinates(U′[d]:V′[d]:W′[d]) of P[d]=d×p in the projective coordinate system arecomputed.

[0325] According to the fifteenth embodiment, the coordinates of theP[d] in the projective coordinate system can be computed without using adivision, thereby shortening the computation time.

[0326]FIG. 16 shows an example of an arithmetic program by the equations(1A) through (3A) according to the above mentioned fifteenth embodiment.The arithmetic program is formed by the following processes.

[0327] (1) The multiplication of the v coordinates of the point P on theMontgomery form elliptic curve E and B is performed, and the result isset in T1.

[0328] (2) The multiplication of T1 and the W coordinate W[d] of P[d] isperformed, and the result is set in T2.

[0329] (3) The multiplication of T2 and the U coordinate U[d+1] ofP[d+1] is performed, and the result is set in T3.

[0330] (4) The multiplication of T3 and the W coordinate W[d+1] ofP[d+1] is performed, and the result is set in T4.

[0331] (5) The multiplication of T4 and U[d] is performed, and theresult is set in U′[d].

[0332] (6) The multiplication of T4 and W[d] is performed, and theresult is set in W′[d].

[0333] (7) The multiplication of the coordinate u of P and U[d] isperformed, and the result is set in T5.

[0334] (8) W[d] is subtracted from T5, and the result is set in T6. Theprocess corresponds to the arithmetic of “u×U[d]−W[d]”.

[0335] (9) The multiplication of T6 and W[d+1] is performed, and theresult is set in T7. This process corresponds to the arithmetic of“(u×U[d]−W[d])×W[d+1]”.

[0336] (10) The multiplication of u and W[d] is performed, and theresult is set in T8.

[0337] (11) T8 is subtracted from U[d], and the result is set in T9.This process corresponds to the arithmetic of “U[d]−u×W[d]”.

[0338] (12) The multiplication of T9 and U[d+1] is performed, and theresult is set in T10. This process corresponds to the arithmetic of“(U[d]−u×W[d])×U[d+1]”.

[0339] (13) T7 is added to T10, and the result is set in T11.

[0340] (14) T10 is subtracted from T7, and the result is set in T12.

[0341] (15) The multiplication of T11 and T12 is performed, and V′[d] isobtained.

[0342] Using the above mentioned arithmetic program, the coordinates(U′[d]:V′[d]:W′[d]) of P[d] in the projective coordinate system can becomputed.

[0343] In this case, the computation can be realized by elevenmultiplying operations and several adding, subtracting, and constantmultiplication.

[0344] The computation time required by the arithmetic program in theabove mentioned embodiment is compared with the computation timerequired by the algorithm shown in FIG. 3.

[0345] In the case of the number of bits of n=160, assume that the timerequired in the multiplication in the GF(p^ m) is M, the time requiredby the squaring is S, and the time required to compute an inverse is I,1I=30M, and 1S=0.8M.

[0346] The computation time required by the algorithm 1 (binary method)and the scalar multiplication on the Jacobian coordinates is 2226.0 M,and the computation time required by the algorithm 1 (signed binarymethod) and the scalar multiplication on the Jacobian coordinates is1950.4 M.

[0347] On the other hand, according to the present embodiment, thecomputation time required by, for example, the algorithm 3 for computingthe scalar multiplication using the arithmetic program of the ellipticcurve addition without using a Y coordinate in the projective coordinateshown in FIG. 8, the arithmetic program of the elliptic curve doublingwithout using a Y coordinate in the projective coordinate system shownin FIG. 12, and the arithmetic program for computing the coordinates(X′[d]:Y′[d]:Z′[d]) in the projective coordinate system shown in FIG. 13is 1742.2 M.

[0348] Additionally, the computation time required when the algorithm 3is used for computing the scalar multiplication when Z=1, using thearithmetic program of the elliptic curve addition without using a Ycoordinate in the projective coordinate system shown in FIG. 9, thearithmetic program of the elliptic curve doubling without using the Ycoordinate in the projective coordinate system shown in FIG. 12, and thearithmetic program for computing the coordinates (X′[d]:Y′[d]:Z′[d]) inthe projective coordinate system shown in FIG. 13 is 1583.2 M.

[0349] The computation time required by, for example, the algorithm 3being used for the scalar multiplication using the arithmetic program ofthe elliptic curve addition without using a Y coordinate in theprojective coordinate shown in FIG. 10, the arithmetic program of theelliptic curve doubling without using a Y coordinate in the projectivecoordinate system shown in FIG. 12, and the arithmetic program forcomputing the coordinates (X′[d]:Y′[d]:Z′[d]) in the projectivecoordinate system shown in FIG. 13 is 1901.2 M.

[0350] Additionally, the computation time required when the algorithm 3is used for computing the scalar multiplication when Z=1, using thearithmetic program of the elliptic curve addition without using a Ycoordinate in the projective coordinate system shown in FIG. 11, thearithmetic program of the elliptic curve doubling without using the Ycoordinate in the projective coordinate system shown in FIG. 12, and thearithmetic program for computing the coordinates (X′[d]:Y′[d]:Z′[d]) inthe projective coordinate system shown in FIG. 13 is 1583.2 M.

[0351] As described above, the computation time for the scalarmultiplication can be considerably shortened.

[0352]FIG. 17 shows an example of the hardware environment of aninformation processing device 20 for executing the arithmetic program ofthe scalar multiplication according to the embodiments of the presentinvention.

[0353] A basic program such as BIOS is stored in ROM 24 connected to twoCPUs 22 and 23 through a bus 21. The program is also stored in a storagedevice 25 such as a hard disk connected to the CPUs 22 and 23 throughthe bus 21, copied to RAM 26, and executed by the CPUs 22 and 23. Astorage medium reading device 27 reads the program from a portablestorage medium 28 such as a flexible disk, CD-ROM, DVD, etc., and allowsthe information processing device 20 to install it, or reads the programdirectly from the portable storage medium 28 for execution by the CPUs22 and 23.

[0354] An input/output device 29 comprises a keyboard, a mouse, atemplate, a display, etc., transmits an instruction from a user of theinformation processing device 20 to the CPUs 22 and 23, and presents anarithmetic result from the CPUs 22 and 23 to the user.

[0355] A communications interface 30 connects the information processingdevice 20 to an information provider 32 through a network 31. Theinformation provider 32 can store the program in the server device, etc.to download it to the information processing device 20 through thenetwork 31.

[0356] The present invention can be applied not only to the abovementioned binary expression of a natural number d, but also to anyarithmetic method of the scalar multiplication in which an ellipticcurve addition and an elliptic curve doubling can be concurrentlyperformed.

[0357] It is also applied to any elliptic curve including a Weierstrassform elliptic curve and a Montgomery form elliptic curve.

[0358] The present invention can perform scalar multiplication at a highspeed, and improve the resistance to side channel attacks.

What is claimed is:
 1. An elliptic curve cryptosystem apparatus,comprising: an obtaining unit obtaining coordinate of a point P on anelliptic curve over an finite field and an n-bit natural number d; andan arithmetic unit concurrently performing an elliptic curve additionECADD and an elliptic curve doubling ECDBL when obtaining d×P byrepeatedly performing arithmetics (1) through (3) listed below apredetermined number of times based on the coordinates of the point Pand the natural number d obtained by said obtaining unit.Q[2]=ECADD(Q[0],Q[ 1])  (1)Q[0]=ECDBL(Q[ 0])  (2)Q[1]=Q[1+d[i]]  (3)where an initial value of a variable Q[0] is P, an initial valueof a variable Q[1] is 0, and a coefficient of a binary expression of anatural number d obtained by said obtaining unit is d[i] (i=0˜n−1,d[i]=0, 1)
 2. An elliptic curve cryptosystem apparatus, comprising: anobtaining unit obtaining coordinate of a point P on an elliptic curveover an finite field and an n-bit natural number d; and an arithmeticunit concurrently performing an elliptic curve addition ECADD and anelliptic curve doubling ECDBL when obtaining d×P by repeatedlyperforming arithmetics (1) through (4) listed below a predeterminednumber of times based on the coordinates of the point P and the naturalnumber d obtained by said obtaining unit.Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d obtained bysaid obtaining unit is d[i] (d[n−1]˜d[0], d[i]=0, 1)
 3. The apparatusaccording to claim 2, wherein: said arithmetic unit comprises a firstregister for storing Q[0] and a second register for storing Q[1], aftersetting the initial value P of Q[0] in said first register and theinitial value 2×P of Q[1] in said second register, performs the ellipticcurve addition ECADD and the elliptic curve doubling ECDBL, stores anarithmetic result of the elliptic curve doubling ECDBL in said firstregister and an arithmetic result of the elliptic curve addition ECADDin said second register when d[i]=0, and stores an arithmetic result ofthe elliptic curve doubling ECDBL in said second register and anarithmetic result of the elliptic curve addition ECADD in said firstregister when d[i]=1.
 4. An elliptic curve cryptosystem apparatus,comprising: an obtaining unit obtaining an x coordinate x1 of a point P1on an elliptic curve over a finite field, an x coordinate x2 of a pointP2, and P3′=P1−P2; and an arithmetic unit computing an x coordinate x3of a point P3 of an elliptic curve addition P3=P1+P2 without using a ycoordinate by x3=[(x1×x2−a)^ 2−4b(x1+x2)]/[x3′×(x1−x2)^ 2]
 5. Anelliptic curve cryptosystem apparatus, comprising: an obtaining unitobtaining an x coordinate x1 of a point P1 on an elliptic curve over afinite field, an x coordinate x2 of a point P2, and P3′=P1−P2; and anarithmetic unit computing an x coordinate x3 of a point P3 of anelliptic curve addition P3=P1+P2 without using y coordinates byx3=[2(x1+x2)×(x1×x2+a)+4b]/[(x1−x2)^ 2]−x3′
 6. An elliptic curvecryptosystem apparatus, comprising: an obtaining unit obtaining an xcoordinate x1 of a point P1 on an elliptic curve over a finite field, anx coordinate x2 of a point P2, and P3′=P1−P2; and an arithmetic unitcomputing an x coordinate x4 of an elliptic curve doubling P4=2×P1without using a y coordinate by x4=[(x1^ 2−a)^ 2−8×x1]/[4(x1^ 3+a×x1+b)]7. An elliptic curve cryptosystem apparatus, comprising: an obtainingunit obtaining an x coordinate of a point P1 on an elliptic curve over afinite field, an x coordinate of a point P2, and an x coordinate ofP3′=P1−P2; and an arithmetic unit computing an X coordinate X3 and a Zcoordinate Z3 of a point P3 of an elliptic curve addition P3=P1+P2 in aprojective coordinate system by equations (1) and (2)X3=Z3′×[(X1×X2−aZ1×Z2)^2−4bZ1×Z2(X1×Z2+X2×Z1)]  (1)Z3=X3′×[(X1×Z2−X2×Z1)^ 2]  (2)where an Xcoordinate of the point P1 is X1 and a Z coordinate is Z1, an Xcoordinate of the point P2 is X2 and a Z coordinate is Z2, an Xcoordinate of the point P3′=P1−P2 is X3′ and a Z coordinate is Z3′ inthe projective coordinate system, and Z3′≠0, X1×Z2≠X2×Z1
 8. Theapparatus according to claim 7, wherein said arithmetic unit obtains anX coordinate and a Z coordinate of the elliptic curve addition P3=P1+P2in the projective coordinate system by performing arithmetics listedbelow T1←X1×X2  (1)T 2←Z1×Z2  (2)T3←X1×Z2  (3)T4←X2×Z1  (4)T5←aT2(=aZ1×Z2)  (5)T6←T1−T5(=X1×X2−aZ1×Z2)  (6)T7←T6^2(=(X1×X2−aZ1×Z2)^2)  (7)T8←b×T2(=bZ1×Z2)  (8)T9←4T8(=4bZ1×Z2)  (9)T10←T3+T4(=X1×Z2+X2×Z1)  (10)T11←T9×T10(=4bZ1×Z2(X1×Z2+X2×Z1))  (11)T12←T7−T11(=(X1×X2−aZ1×Z2)2−4bZ1×Z2(X1×Z2+X2×Z1))  (12)X3←Z3′×T12  (13)T13←T3−T4(=X1×Z2−X2×Z1)  (14)T14←T13^2(=(X1×Z2−X2×Z1)^ 2)  (15)Z3←X3′×T14  (16)
 9. The apparatus according toclaim 7, wherein said arithmetic unit obtains an X coordinate and a Zcoordinate of the elliptic curve addition P3=P1+P2 in the projectivecoordinate system by performing arithmetics listed below when Z3′=1T1←X1×X2  (1)T2←Z1×Z2  (2) T 3←X1×Z2  (3)T4←X2×Z1  (4)T5←aT2(=aZ1×Z2)  (5)T6←T1−T5(=X1×X2−aZ1×Z2)  (6)T7←T6^2(=(X1×X2−aZ1×Z2)^2)  (7)T8←bT2(=bZ1×Z2)  (8)T9←4T8(=4bZ1×Z2)  (9)T10←T3+T4(=X1×Z2+X2×Z1)  (10)T11←T9×T10(=4bZ1×Z2(X1×Z2+X2×Z1))  (11)X3←T7−T11(=(X1×X2−aZ1×Z2)^2−4bZ1×Z2(X1×Z2+X2×Z1))  (12)T13←T3−T4(=X1×Z2−X2×Z1)  (13)T14←T13^2(=(X1×Z2−X2×Z1)^ 2)  (14)Z3←X3′×T14  (15)
 10. An elliptic curvecryptosystem apparatus, comprising: an obtaining unit obtaining xcoordinates of points P1, P2, and P3′=P1−P2 on an elliptic curve over afinite field; and an arithmetic unit computing an X coordinate X3 and aZ coordinate Z3 of an elliptic curve addition P3=P1+P2 in a projectivecoordinate system without using Y coordinates by equations (1) and (2)listed below based on the x coordinates of the points P1, P2, and P3′obtained by said obtaining unitX3=Z3′×[2(X1×Z2+X2×Z1)×(X1×X2+aZ1×Z2)+4bZ1^ 2×Z2^ 2]−X3′×[(X1×Z2−X2×Z1)^2]  (1)Z3=Z3′×[(X1×Z2−X2×Z1)^ 2]  (2)where an X coordinate of the pointP1 is X1 and a Z coordinate is Z1, an X coordinate of the point P2 is X2and a Z coordinate is Z2, an X coordinate of the point P3′=P1−P2 is X3′and a Z coordinate is Z3′, and Z3′≠0, X1×Z2≠X2×Z1 in the projectivecoordinate system.
 11. The apparatus according to claim 10, wherein saidarithmetic unit computes an X coordinate X3 and a Z coordinate Z3 of anelliptic curve addition P3=P1+P2 in the projective coordinate systemwithout using Y coordinates by performing equations belowT1←X1×X2  (1)T2←Z1×Z2  (2)T3←X1×Z2  (3)T4←X2×Z1  (4)T5←T3+T4(=X1×Z2+X2×Z1)  (5)T6←a×T2(=aZ1×Z2)  (6)T7←T1+T6(=X1×X2+aZ1×Z2)  (7)T8←T5×T7(=(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2))  (8)T9←2×T8(=2(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2))  (9)T10←T2^2(=Z1^ 2×Z2^ 2)  (10)T11←b×T10(=bZ1^ 2×Z2^ 2)  (11)T12←4·T11(=4bZ1^2×Z2^ 2)  (12)T13←T9+T12(=2(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2)+4bZ1^ 2×Z2^2)  (13)T14←T3−T4(=X1×Z2−X2×Z1)  (14)T15←T14^ 2(=(X1×Z2−X2×Z1)^2)  (15)T16←Z3′×T13  (16)T17←X3′×T15  (17)X3←T16−T17  (18)Z3←Z3′×T15  (19)12. The apparatus according to claim 10, wherein said arithmetic unitcomputes the X coordinate X3 and the Z coordinate Z3 of the ellipticcurve addition P3=P1+P2 in the projective coordinate system withoutusing Y coordinates by performing arithmetics by equations listed belowwhen Z3′=1 T1←X1×X2  (1)T 2←Z1×Z2  (2)T3←X1×Z2  (3)T4←X2×Z1  (4)T5←T3+T4(=X1×Z2+X2×Z1)  (5)T6←a×T2(=aZ1×Z2)  (6)T7←T1+T6(=X1×X2+aZ1×Z2)  (7)T8←T5×T7(=(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2))  (8)T9←2·T8(=2(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2))  (9)T10←T2^2(=Z1^ 2×Z2^ 2)  (10)T11←b×T10(=bZ1^ 2×Z2^ 2)  (11)T12←4·T11(=4bZ1^2×Z2^ 2)  (12)T13←T9+T12(=2(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2)+4bZ1^ 2×Z2^2)  (13)T14←T3−T4(=X1×Z2−X2×Z1)  (14)T15←T14^ 2(=(X1×Z2−X2×Z1)^2)  (15)T16←T13  (16)T17←X3′×T15  (17)X3←T16−T17  (18)Z3←T15  (19) 13.An elliptic curve cryptosystem apparatus, comprising: an obtaining unitobtaining a coordinate of a point P1 on an elliptic curve over a finitefield; and an arithmetic unit computing an X coordinate and a Zcoordinate of an elliptic curve doubling P4=2×P1 without using Ycoordinates in the projective coordinate system by using a coordinate ofa point P1 obtained by said obtaining unit and equations (1) and (2)listed below X4=[(X1^ 2−aZ1^ 2)^ 2−8bX1×Z1^ 3]; (^ indicates apower)  (1)Z4=[4×(X1×Z1×(X1^ 2+a×Z1^ 2)+b×Z1^ 4)]  (2)
 14. The ellipticcurve cryptosystem apparatus according to claim 13, wherein saidarithmetic unit computes an X coordinate and a Z coordinate of anelliptic curve doubling P4=2×P1 in the projective coordinate system byperforming arithmetics by equations listed below T1←X1^ 2  (1)T2←Z1^2  (2)T3←a×T2(=aZ1^ 2)  (3)T4←T1−T3(=X1^ 2−aZ1^ 2)  (4)T5←T4^ 2(=(X1^2−aZ1^ 2)^ 2)  (5)T 6← b×T2(=bZ1^2)  (6)T7←X1×Z1(=X1×Z1)  (7)T8←T6×T7(=bX1×Z1^ 3)  (8)T9←8T8(=8bX1×Z1^3)  (9)X4←T5−T9  (10)T10←T1+T3(=X1^ 2+aZ1^2)  (11)T11←T7×T10(=X1×Z1×(X1^ 2+aZ1^ 2))  (12)T12←T6×T2(=bZ1^4)  (13)T13←T11+T12(=X1×Z1×(X1^ 2+aZ1^ 2)+bZ1^ 4)  (14)Z4←4T13  (15) 15.An elliptic curve cryptosystem apparatus, comprising: an obtaining unitobtaining an x coordinate and a y coordinate of a point P on an ellipticcurve over a finite field, and x coordinates of points P[d] and P[d+1];and an arithmetic unit obtaining a y coordinate y[d] of P[d]=d×P by thecoordinates of the points P, P[d], and P[d+1] obtained by said obtainingunit and equations listed below. y[d]=[y^ 2+x[d]^ 3+ax[d]+b−(x−x[d])^2×(x+x[d]+x[d+1])]/[2×y]; (^ indicates a power) where the coordinates ofthe point P on the elliptic curve are (x, y), the x coordinate of thepoint P[d]=d×P is x[d], and the x coordinate of P[d+1]=(d+1)×P isx[d+1].
 16. An elliptic curve cryptosystem apparatus, comprising: anobtaining unit obtaining an x coordinate and a y coordinate of a point Pon an elliptic curve over a finite field, an X coordinate X[d] and a Zcoordinate Z[d] of a point P[d] in a projective coordinate system, andan X coordinate X[d+1] and a Z coordinate Z[d+1] of P[d+1]=(d+1)P in theprojective coordinate system; and an arithmetic unit computingcoordinates (X′[d]:Y′[d]:Z′[d]) of a point P[d]=d×P in the projectivecoordinate system by equations (1) through (3) listed below based oncoordinate data obtained by said obtaining unit X′[d]=2y×Z[d]^2×Z[d+1]×X[d]  (1)Y′[d]=Z[d+1]×(y^ 2×Z[d]^ 3+X[d]^ 3+aX[d]×Z[d]^2+bZ[d]^ 3)−(x×Z[d]−X[d])^2×(x×Z[d]×Z[d+1]+X[d]×Z[d+1]+X[d+1]×Z[d])  (2)Z′[d]=2y×Z[d]^2×Z[d+1]×Z[d]  (3)
 17. The elliptic curve cryptosystem apparatusaccording to claim 16, wherein said arithmetic unit performs arithmeticsbelow T1←Z[d]^ 2  (1)T2←T1×Z[d+1](=Z[d]^ 2×Z[d+1])  (2)T3←y×T2(=y×Z[d]^2×Z[d+1])  (3)T4←X[d]×T3(=y×Z[d]^2×Z[d+1]×X[d])  (4)X′[d]←2·T4  (5)T5←Z[d]×T3(=y×Z[d]^2×Z[d+1]×Z[d])  (6)Z′[d]←2·T5  (7)T6←X[d]^ 2  (8)T7←a×T1(=aZ[d]^2)  (9)T8←T6+T7(=X[d]^ 2+aZ[d]^2)  (10)T9←X[d]×Z[d+1]  (11)T10←T9×T8(=X[d]×Z[d+1]×(X[d]^ 2+aZ[d]^ 2))  (12)T11←y×T5(=y^ 2×Z[d]^3×Z[d+1])  (13)T12←b×Z[d]  (14)T13←T12×T2(=bZ[d]^ 3×Z[d+ 1])  (15)T 14←x×Z[d]  (16)T15←T14−X[d](=x×Z[d]−X[d])  (17)T16←T15^ 2(=(x×Z[d]−X[d])^2)  (18)T17←T14×Z[d+1](=x×Z[d]×Z[d+1])  (19)T18←X[d+1]×Z[d]  (20)T19←T17+T9+T18  (21)T20←T16×T19  (22)Y′[d]←T10+T11+T13−T20  (23)18. An elliptic curve cryptosystem apparatus, comprising: an obtainingunit obtaining an x coordinate x1 of a point P1 on an elliptic curveover a finite field, an x coordinate x2 of a point P2, and P3′=P1−P2;and an arithmetic unit computing an x coordinate x3 of a point P3 of anelliptic curve addition P3=P1+P2 without using y coordinates by anequation (1) x3=[(x1×x2−a)^ 2−4b(x1+x2)]/[x3′×(x1−x2)^ 2]; (^ indicatesa power),  (1)computes an x coordinate x4 of an elliptic curve doublingP4=2×P1 without using y coordinates by an equation (2) based oncoordinate data obtained by said obtaining unit x4=[(x1^ 2−a)^2−8×x1]/[4(x1^ 3+a×x1+b)],  (2) and computes a y coordinate y[d] ofP[d]=d×P by an equation (3) y[d]=[y^ 2+x[d]^ 3+ax[d]+b−(x−x[d])^2×(x+x[d]+x[d+1])]/[2×y]  (3)where coordinates of a point P of anelliptic curve is (x, y), an x coordinate of a point P[d]=d×P is x[d],and an x coordinate of P[d+1]=(d+1)×P is x[d+1].
 19. The elliptic curvecryptosystem apparatus according to claim 18, wherein said arithmeticunit concurrently performs an elliptic curve addition ECADD and anelliptic curve doubling ECDBL when d×P is obtained by repeatedlyperforming arithmetics a predetermined number of times by equations (1)through (4) Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d is d[i](d[i]=0, 1).
 20. An elliptic curve cryptosystem apparatus, comprising:an obtaining unit obtaining an x coordinate x1 of a point P1 on anelliptic curve over a finite field, an x coordinate x2 of a point P2,P3′=P1−P2, and x coordinates of points P[d] and P[d+1]; and anarithmetic unit performing an arithmetic to obtain d×P by repeatedlyperforming arithmetics by equations (1) through (4) a predeterminednumber of times based on data obtained by said obtaining unitQ[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d is d[i](d[i]=0, 1), performing an arithmetic of an elliptic curve additionECADD by an equation (5) x 3=[2(x1+x2)×(x1×x2+a)+4b]/[(x1−x2)^2]−x3′,  (5) performing an arithmetic of an elliptic curve doublingECDBL by an equation (6) x4=[(x1^ 2−a)^ 2−8×x1]/[4(x1^ 3+a×x1+b)],  (6)and performing an arithmetic of obtaining a y coordinate of P[d]=d×p byan equation (7) y[d]=[y^ 2+x[d]^ 3+ax[d]+b−(x−x[d])^2×(x+x[d]+x[d+1])]/[2×y] (^ indicates a power)  (7)where x[d]=Q[0],x[d+1]=Q[1].
 21. The elliptic curve cryptosystem apparatus according toclaim 20, wherein an elliptic curve addition ECADD and an elliptic curvedoubling ECDBL is concurrently performed when d×P is obtained byrepeatedly performing arithmetics a predetermined number of times byequations (1) through (4) Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d is d[i](d[i]=0, 1).
 22. An elliptic curve cryptosystem apparatus, comprising:an obtaining unit obtaining an x coordinate of a point P1 on an ellipticcurve over a finite field, an x coordinate of a point P2, and an n-bitnatural number d; and an arithmetic unit performing an arithmetic toobtain d×P by repeatedly performing arithmetics by equations (1) through(4) a predetermined number of times based on data obtained by saidobtaining unit Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d is d[i](d[i]=0, 1), computing an X coordinate X3 and a Z coordinate Z3 of apoint P3 of an elliptic curve addition ECADD P3=P1+P2 in a projectivecoordinate system by equations (5) and (6) X3=Z3′×[(X1×X2−aZ1×Z2)^2−4bZ1×Z2(X1×Z2+X2×Z1)]; (^ indicates apower)  (5)Z3=X3′×[(X1×Z2−X2×Z1)^ 2]  (6)where an X coordinate of apoint P1 is X1 and a Z coordinate is Z1, an X coordinate of a point P2is X2 and a Z coordinate is Z2, an X coordinate of a point P3′=P1−P2 isX3′ and a Z coordinate is Z3′, Z3′≠0, and X1×Z2≠X2×Z1 in the projectivecoordinate system, computing an X coordinate and a Z coordinate of anelliptic curve doubling P4=2×P1 in the projective coordinate system byequations (7) and (8) X4=[(X1^ 2−aZ1^ 2)^ 2−8bX1×Z1^3]  (7)Z4=[4×(X1×Z1×(X1^ 2+a×Z1^ 2)+b×Z1^ 4)], and  (8) computingcoordinates (X′[d]:Y′[d]:Z′[d]) of a point P[d]=d×P in the projectivecoordinate system by equations (9) through (11) X′[d]=2y×Z[d]^2×Z[d+1]×X[d]  (9)Y′[d]=Z[d+1]×(y^ 2×Z[d]^ 3+X[d]^ 3+aX[d]×Z[d]^2+bZ[d]^ 3)−(x×Z[d]−X[d])^2×(x×Z[d]×Z[d+1]+X[d]×Z[d+1]+X[d+1]×Z[d])  (10)Z′[d]=2y×Z[d]^2×Z[d+1]×Z[d]  (11)where X[d]=x element of Q[0], Z[d]=y element of Q[0],X[d+1]=x element of Q[1], and Z[d+1]=y element of Q[1].
 23. Theapparatus according to claim 22, wherein said arithmetic unit performs:an arithmetic of an elliptic curve addition P3=P1+P2 in the projectivecoordinate system; an arithmetic of an elliptic curve doubling P4=2×P1in the projective coordinate system; and an arithmetic of obtainingcoordinates (X′[d]:Y′[d]:Z′[d]) of P[d] in the projective coordinatesystem.
 24. The elliptic curve cryptosystem apparatus according to claim22, wherein said arithmetic unit concurrently performs an elliptic curveaddition ECADD and an elliptic curve doubling ECDBL when d×P is obtainedby performing an arithmetic a predetermined number of times byperforming equations (1) through (4)Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d is d[i](d[i]=0, 1).
 25. The elliptic curve cryptosystem apparatus according toclaim 23, wherein said arithmetic unit concurrently performs an ellipticcurve addition ECADD and an elliptic curve doubling ECDBL when d×P isobtained by performing an arithmetic a predetermined number of times byperforming equations (1) through (4)Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d is d[i](d[i]=0, 1).
 26. An elliptic curve cryptosystem apparatus, comprising:an obtaining unit obtaining a coordinate of a point P on an ellipticcurve over a finite field and an n-bit natural number d; and anarithmetic unit performing an aritmetic to obtain d×P by repeatedlyperforming arithmetics by equations (1) through (4) a predeterminednumber of times based on data obtained by said obtaining unitQ[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of a natural number d is d[i](d[i]=0, 1), computing an X coordinate X3 and a Z coordinate Z3 of anelliptic curve addition P3−P1+P2 in a projective coordinate systemwithout using Y coordinates by equations (5) and (6)X3=Z3′×[2(X1×Z2+X2×Z1)×(X1×X2+aZ1×Z2)+4bZ1^ 2×Z2^ 2]−X3′×[(X1×Z2−X2×Z1)^2]  (5)Z3=Z3′×[(X1×Z2−X2×Z1)^ 2]  (6)where, in the projective coordinatesystem of an elliptic curve, an X coordinate of a point P1 is X1 and a Zcoordinate is Z1, an X coordinate of a point P2 is X2 and a Z coordinateis Z2, an X coordinate of a point P3′=P1−P2 is X3′ and a Z coordinate isZ3′, Z3′≠0, and X1×Z2≠X2×Z1, computing an X coordinate and a Zcoordinate of an elliptic curve doubling P4=2×P1 in the projectivecoordinate system without using a Y coordinate by equations (7) and (8)X4=[(X1^ 2−aZ1^ 2)^ 2−8bX1×Z1^ 3]; (^ indicates apower)  (7)Z4=[4×(X1×Z1×(X1^ 2+a×Z1^ 2)+b×Z1^ 4)]  (8) where an Xcoordinate of P1 is X1 and a Z coordinate is Z1 in the projectivecoordinate system, and Z1≠0, and computing coordinates(X′[d]:Y′[d]:Z′[d]) of a point P[d]=d×P in the projective coordinatesystem by equations (9) through (11) X′[d]=2y×Z[d]^2×Z[d+1]×X[d]  (9)Y′[d]=Z[d+1]×(y^ 2×Z[d]^ 3+X[d]^ 3+aX[d]×Z[d]^2+bZ[d]^ 3)−(x×Z[d]−X[d])^2×(x×Z[d]×Z[d+1]+X[d]×Z[d+1]+X[d+1]×Z[d])  (10)Z′[d]=2y×Z[d]^2×Z[d+1]×Z[d]  (11) where, in the projective coordinate system, an Xcoordinate of a point P[d] is X[d] and a Z coordinate is Z[d], and an Xcoordinate of P[d+1]=(d+1) P is X[d+1] and a Z coordinate is Z[d+1]. 27.An elliptic curve cryptosystem apparatus, comprising: an obtaining unitobtaining coordinates of a point P on an elliptic curve over a finitefield and an n-bit natural number d; and an arithmetic unit computingECADDDBL by equations listed belowT1←X1×X2  (1)T2←Z1×Z2  (2)T3←X1×Z2  (3)T4←X2×Z1  (4)T 5←T3+T4(=X1×Z2+X2×Z1)  (5)T6←a×T2(=aZ1×Z2)  (6)T7←T1+T6(=X1×X2+aZ1×Z2)  (7)T8←T5×T7(=(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2))  (8)T9←2T8(=2(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2))  (9)T10←T2^2(=Z1^ 2×Z2^ 2)  (10)T11←b×T10(=bZ1^ 2×Z2^ 2)  (11)T12←4T11(=4bZ1^ 2×Z2^2)  (12)T13←T9+T12(=2(X1×Z2+X2×Z1)(X1×X2+aZ1×Z2)+4bZ1^ 2×Z2^2)  (13)T14←T3−T4(=X1×Z2−X2×Z1)  (14)T15←T14^ 2(=(X1×Z2−X2×Z1)^2)  (15)T16←Z3′×T13  (16)T17←X3′×T15  (17)X3←T16−T17  (18)Z3←Z3′×T15  (19)T21←T3^2(=X1^ 2×Z2^ 2)  (20)T22←T6×T2(=aZ1^ 2×Z2^ 2)  (21)T23←T21−T22(=X1^2×Z2^ 2−aZ1^ 2×Z2^ 2)  (22)T24←T23^ 2(=(X1^ 2×Z2^ 2−aZ1^ 2×Z2^ 2)^2)  (23)T25←T11  (24)T 26 ←T25×T2(=bZ1^ 3×Z2^3)  (25)T27←T26×T3(=bX1×Z1^ 3×Z2^ 4)  (26)T28←8·T27(=8bX1×Z1^ 3×Z2^4)  (27)X4←T24−T28  (28)T29←T21+T22(=X1^ 2×Z2^ 2+aZ1^ 2×Z2^2)  (29)T30←T3×T29(=X1×Z2(X1^ 2×Z2^ 2+aZ1^ 2×Z2^2))  (30)T31←T30+T26  (31)T32←T2×T31  (32)Z4←4T32  (33)when followingarithmetics are performed a predetermined number of times if d[i]=1 thenswap (Q[0], Q[1])  (1)ECADDDBL(Q[0], Q[1])  (2) (where Q[0]=(X1:Z1) ,Q[1]=(X2:Z2))Q[1]=(X3:Z3)  (3)Q[2]=(X4:Z4)  (4)Q[0]=Q[2−d[i]]  (5)Q[1]=Q[1+d[i]]  (6)wherean initial value of a variable Q[0] is P, an initial value of a variableQ[1] is 2×P, and a coefficient of a binary expression of a naturalnumber d is d[i] (d[i]=0, 1).
 28. The elliptic curve cryptosystemapparatus according to claim 27, wherein when Z3′=1, said arithmeticunit performs arithmetics by the equations (1) through (33) using Z3′=1.29. An elliptic curve cryptosystem apparatus, comprising: an obtainingunit obtaining a u coordinate and a v coordinate of a point P on aMontgomery form elliptic curve E, and a U coordinate and a W coordinateof points P[d] and P[d+1] in a projective coordinate system; and anarithmetic unit computing coordinates (U′[d]:V′[d]:W′[d]) of P[d]=d×P inthe projective coordinate system by performing arithmetics by equations(1) through (3)U′[d]=4Bv×U[d+1]×W[d+1]×W[d]×U[d]  (1)V′[d]=(u×U[d]−W[d])^ 2×W[d+1]^2−(U[d]−u×W[d])^ 2×U[d+1]^ 2; (^ indicates apower)  (2)W′[d]=4Bv×U[d+1]×W[d+1]×W[d]^ 2  (3)where, in the projectivecoordinate system, a U coordinate of a point P[d]=d×P is U[d], and a Wcoordinate is W[d], a U coordinate of a point P[d+1]=(d+1)×P is U[d+1],and a W coordinate is W[d+1].
 30. The apparatus according to claim 29,wherein said arithmetic unit computes coordinates (U′[d]:V′[d]:W′[d]) ofP[d]=d×P in the projective coordinate system by performing a process byequations (1) through (15)T1←B×v  (1)T2←T1×W[d]  (2)T3←T2×U[d+1]  (3)T4←T3×W[d+1]  (4)U′[d]←T4×U[d]  (5)W′[d]←T4×W[d]  (6)T5←u×U[d]  (7)T6←T5−W[d](=u×U[d]−W[d])  (8)T7←T6×W[d+1](=(u×U[d]−W[d])×W[d+1])  (9)T8←u×W[d]  (10)T9←U[d]−T8(=U[d]−u×W[d])  (11)T10←T9×U[d+1](=(U[d]−u×W[d])×U[d+1])  (12)T11←T7+T10  (13)T12← T7−T10  (14)V′[d]←T11×T12  (15)
 31. A computer-readable storagemedium storing an elliptic curve cryptosystem program, comprising:obtaining coordinate of a point P on an elliptic curve over an finitefield and an n-bit natural number d; and concurrently performing anelliptic curve addition ECADD and an elliptic curve doubling ECDBL whenobtaining d×P by repeatedly performing arithmetics (1) through (3)listed below a predetermined number of times Q[2]=ECADD(Q[0],Q[1])  (1)Q[0]=ECDBL(Q[0])  (2)Q[1]=Q[1+d[i]]  (3)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 0, and acoefficient of a binary expression of a natural number d obtained bysaid obtaining unit is d[i] (d[i]=0, 1).
 32. A computer-readable storagemedium storing an elliptic curve cryptosystem program, comprising:obtaining coordinate of a point P on an elliptic curve over an finitefield and an n-bit natural number d; and concurrently performing anelliptic curve addition ECADD and an elliptic curve doubling ECDBL whenobtaining d×P by repeatedly performing arithmetics (1) through (4)listed below a predetermined number of times based on the coordinates ofthe point P and the natural number d.Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of the obtained natural number d isd[i] (d[i]=0, 1)
 33. The storage medium according to claim 32, wherein:a first register stores Q[0] and a second register stores Q[1]; aftersetting the initial value P of Q[0] in said first register and theinitial value 2×P of Q[1] in said second register, the elliptic curveaddition ECADD and the elliptic curve doubling ECDBL are performed, anarithmetic result of the elliptic curve doubling ECDBL is stored in saidfirst register and an arithmetic result of the elliptic curve additionECADD in said second register when d[i]=0, and an arithmetic result ofthe elliptic curve doubling ECDBL is stored in said second register andan arithmetic result of the elliptic curve addition ECADD in said firstregister when d[i]=1.
 34. A computer-readable storage medium storing anelliptic curve cryptosystem program, comprising: obtaining an xcoordinate x1 of a point P1 on an elliptic curve over a finite field, anx coordinate x2 of a point P2, and P3′=P1−P2; and computing an xcoordinate x3 of a point P3 of an elliptic curve addition P3=P1+P2without using y coordinates by equations x3=[(x1×x2−a)^2−4b(x1+x2)]/[x3′×(x1−x2)^ 2]where an x coordinate of P3=P1+P2 is x3.35. A computer-readable storage medium storing an elliptic curvecryptosystem program, comprising: obtaining an x coordinate x1 of apoint P1 on an elliptic curve over a finite field, an x coordinate x2 ofa point P2, and P3′=P1−P2; and computing an x coordinate x3 of a pointP3 of an elliptic curve addition P3=P1+P2 without using y coordinates byequations x3=[2(x1+x2)×(x1×x2+a)+4b]/[(x1−x2)^ 2]−x3′where an xcoordinate of P3=P1+P2 is x3.
 36. A computer-readable storage mediumstoring an elliptic curve cryptosystem program, comprising: obtaining anx coordinate x1 of a point P1 on an elliptic curve over a finite field,an x coordinate x2 of a point P2, and P3′=P1−P2; and computing an xcoordinate x4 of an elliptic curve doubling P4=2×P1 without using ycoordinates by equations x4=[(x1^ 2−a)^ 2−8×x1]/[4(x1^ 3+a×x1+b)]wherean x coordinate of P4=2×P1 is x4.
 37. A computer-readable storage mediumstoring an elliptic curve cryptosystem program, comprising: obtaining anx coordinate of a point P1 on an elliptic curve over a finite field, anx coordinate of a point P2, and an x coordinate of P3′=P1−P2; andcomputing an X coordinate X3 and a Z coordinate Z3 of a point P3 of anelliptic curve addition P3=P1+P2 in a projective coordinate system byequations (1) and (2) X3=Z3′×[(X1×X2−aZ1×Z2)^2−4bZ1×Z2(X1×Z2+X2×Z1)]  (1)Z3=X3′×[(X1×Z2−X2×Z1)^ 2]  (2)where, in theprojective coordinate system, an X coordinate of the point P1 is X1 anda Z coordinate is Z1, an X coordinate of the point P2 is X2 and a Zcoordinate is Z2, an X coordinate of the point P3′=P1−P2 is X3′ and a Zcoordinate is Z3′, and Z3′≠0, X1×Z2≠X2×Z1
 38. An arithmetic method foran elliptic curve cryptosystem, comprising: obtaining coordinate of apoint P on an elliptic curve over an finite field and an n-bit naturalnumber d; and performing arithmetic to obtain d×P by concurrentlyperforming an elliptic curve addition ECADD and an elliptic curvedoubling ECDBL by repeatedly performing arithmetics (1) through (3)listed below a predetermined number of times Q[2]=ECADD(Q[0],Q[1])  (1)Q[0]=ECDBL(Q[0])  (2)Q[1]=Q[1+d[i]]  (3)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 0, and acoefficient of a binary expression of the obtained natural number d isd[i] (d[i]=0, 1).
 39. An arithmetic method for an elliptic curvecryptosystem, comprising: obtaining coordinate of a point P on anelliptic curve over an finite field and an n-bit natural number d; andperforming arithmetic to obtain d×P by concurrently performing anelliptic curve addition ECADD and an elliptic curve doubling ECDBL byrepeatedly performing arithmetics (1) through (4) listed below apredetermined number of times based on the coordinates of the point Pand the natural number d. Q[2]=ECDBL(Q[d[i]])  (1)Q[1]=ECADD(Q[0],Q[1])  (2)Q[0]=Q[2−d[i]]  (3)Q[1]=Q[1+d[i]]  (4)where an initial valueof a variable Q[0] is P, an initial value of a variable Q[1] is 2×P, anda coefficient of a binary expression of the obtained natural number d isd[i] (d[i]=0, 1)
 40. The method according to claim 39, wherein: a firstregister stores Q[0] and a second register stores Q[1]; after settingthe initial value P of Q[0] in said first register and the initial value2×P of Q[1] in said second register, the elliptic curve addition ECADDand the elliptic curve doubling ECDBL are performed, an arithmeticresult of the elliptic curve doubling ECDBL is stored in said firstregister and an arithmetic result of the elliptic curve addition ECADDin said second register when d[i]=0, and an arithmetic result of theelliptic curve doubling ECDBL is stored in said second register and anarithmetic result of the elliptic curve addition ECADD in said firstregister when d[i]=1.
 41. An arithmetic method for an elliptic curvecryptosystem, comprising: obtaining an x coordinate x1 of a point P1 onan elliptic curve over a finite field, an x coordinate x2 of a point P2,and P3′=P1−P2; and computing an x coordinate x3 of a point P3 of anelliptic curve addition P3=P1+P2 without using a y coordinate byequations x3=[(x1×x2−a)^ 2−4b(x1+x2)]/[x3′×(x1−x2)^ 2]where an xcoordinate of P3=P1+P2 is x3.
 42. An arithmetic method for an ellipticcurve cryptosystem, comprising: obtaining an x coordinate x1 of a pointP1 on an elliptic curve over a finite field, an x coordinate x2 of apoint P2, and P3′=P1−P2; and computing an x coordinate x3 of a point P3of an elliptic curve addition P3=P1+P2 without using y coordinates byequations x3=[2(x1+x2)×(x1×x2+a)+4b]/[(x1−x2)^ 2]−x3′where an xcoordinate of P3=P1+P2 is x3.
 43. An arithmetic method for an ellipticcurve cryptosystem, comprising: obtaining an x coordinate x1 of a pointP1 on an elliptic curve over a finite field, an x coordinate x2 of apoint P2, and P3′=P1−P2; and computing an x coordinate x4 of an ellipticcurve doubling P4=2×P1 without using y coordinates by equations x4=[(x1^2−a)^ 2−8×x1]/[4(x1^ 3+a×x1+b)]where an x coordinate of P4=2×P1 is x4.44. An arithmetic method for an elliptic curve cryptosystem, comprising:obtaining an x coordinate of a point P1 on an elliptic curve over afinite field, an x coordinate of a point P2, and an x coordinate ofP3′=P1−P2; and computing an X coordinate X3 and a Z coordinate Z3 of apoint P3 of an elliptic curve addition P3=P1+P2 in a projectivecoordinate system by equations (1) and (2) X3=Z3′×[(X1×X2−aZ1×Z2)^2−4bZ1×Z2(X1×Z2+X2×Z1)]  (1)Z3=X3′×[(X1×Z2−X2×Z1)^ 2]  (2)where an Xcoordinate of the point P1 is X1 and a Z coordinate is Z1, an Xcoordinate of the point P2 is X2 and a Z coordinate is Z2, an Xcoordinate of the point P3′=P1−P2 is X3′ and a Z coordinate is Z3′ inthe projective coordinate system, and Z3≠0, X1×Z2≠X2×Z1
 45. An ellipticcurve cryptosystem apparatus which performs a scalar multiplication of anatural number and a base point P set on an elliptic curve E,comprising: a storage unit storing an elliptic curve over a finite fieldas the elliptic curve E, an n-bit natural number d, and the base pointP; and an arithmetic unit obtaining d×P as a multiple of d of a point Pin the scalar multiplication by concurrent computation of an ellipticcurve addition and an elliptic curve doubling.